Many SMEs in Europe still unprepared for data privacy regulations to be brought by GDPR

A new report compiled after a survey conducted by independent analysts from International Data Corporation (IDC) – who surveyed SMEs from across Europe – has found that a large proportion of companies are unprepared for the major regulatory changes expected to be introduced as part of the EU’s General Data Protection Regulation (GDPR).

The report, titled ‘New Offerings Make MFA and Encryption Accessible to SMEs as Data Protection Challenges European Organizations’, sponsored by ESET, reveals the number of (acknowledged) data breaches, and cost estimates.

Among the key findings from the IDC report are: 22% of companies are not aware of the GDPR while 52% know about it but say the impact is unclear. Of those who know about it, 20% are not prepared at all, and 59% are not fully GDPR-compliant while a further 56% of the companies which formed part of the survey don’t currently measure breach/attack costs.

“While regulations are being put in place to impose more control over how data is handled, they are mostly concerned with private data. The wider availability and increasing affordability of big data technology, particularly cloud-supported offerings, has made it possible for SMEs to provide analytical services to larger customers. These companies should pay closer attention to data protection, as they are also subject to the data privacy protection regulations due to their handling of large volumes of private data. Nevertheless, these companies often lack the appropriate expertise to protect that data,” states the report.

In terms of regulations, a majority of respondents (46%) cited the Payment Card Industry (PCI) data security standard as affecting their organization. The EU General Data Protection Regulation (GDPR) and Network Information Security Directive (NISD) followed with 37% and 36%, respectively.

“GDPR has been heavily covered in the media and through conferences and seminars over the past year, and yet 52% of respondents still say that its impact for their organization is unclear, while a quarter were not aware of it at all (see Figure 3). Of those that are aware of GDPR, 20% claim they are already compliant, 59% say they are working on it, and 21% say they are not prepared at all,” it notes.

The GDPR was approved by the EU Parliament on April 14, 2016 and will be directly applied in all members states two years after this date, with a possible enforcement date of May 25, 2018. Upon enforcement, organizations which will be found to be non-compliant will face heavy fines (up to €20 million). The GDPR replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy. In a nutshell, GDPR will affect every organization in Europe that handles personal data of any kind.

Despite encryption being named in the regulation itself as a tool which organizations can use to achieve compliance, penetration of this technology is low in the SME segment. The situation is similar for multi-factor authentication, which is an effective way to harden access to sensitive data and systems.

IDC surveyed 700 respondents in seven European countries (Spain, Czech Republic, UK, Italy, Slovakia, Netherlands, Germany). The companies surveyed as part of the study were SMEs with 50-500 endpoints, across all major verticals; respondents were in C-level, IT security or IT admin management roles. The main topics of the survey were: data security and protection; deployed and desired security solutions; data breaches; important criteria when choosing encryption; important criteria when choosing MFA.