The GDPR’s May 25, 2018 deadline resulted in a mad compliance and security scramble not only for European companies but also for any company doing business in Europe or with European customers.
We just published a new market research report on GDPR. The purpose of this survey of 262 executives was to quantify – as close to the May 25th deadline as possible – the following three key issues related to GDPR:
- How do organizations view the emerging challenges tied to information privacy and security, and who have they charged with this task?
- At the deadline, where are organizations in their GDPR journey, and how much did they spend to get there? How do they assess their progress in meeting the core requirements of GDPR?
- What kinds of special pain points do unstructured information (i.e., content) raise in GDPR compliance efforts, and which core IIM technologies do organizations see as critical to their efforts?
For organizations at a significant scale – most of those in our survey – GDPR poses challenges that seem not that difficult on the surface but are actually quite complex. As an example, consider the right of customers to be provided a machine-readable version of ALL of the information handled by a company. For relatively small companies, this is likely a process that could be handled manually if necessary; the volume of requests is likely to be small, as is the number of systems in which personal information is likely to be contained.
But at scale, consider the number of places that data and content about a fictional “Mary Smith” are likely to be found. Consider how disconnected most of these systems are – the challenges most organizations have with relatively simple case management provide a good example of the complications created by disparate and disconnected systems.
Now consider how many unique ways “Mary Smith” is likely to be identified in these systems. Sometimes “Mary Smith.” Sometimes by her maiden name, “Mary Jones.” Sometimes by her email address, in all likelihood, multiple email addresses. Sometimes by her account number. Sometimes by a variation of her name like “M. Elizabeth Smith.” The potential complications associated with what seems a relatively simple task on the surface are mind-boggling.
Now consider how many of these kinds of requests an organization at a significant scale is likely to get in the course of a year. There is some speculation that individuals with a grievance against a particular company might use social media to “flood” a company with requests – somewhat akin to a denial of service attack.
Lastly, as those in the content space know, there are well-known challenges associated with finding and managing personal information within the vast troves of unstructured information that are much more complex than those on the structured data side of the house.
Key Findings
- 20-30% of organizations have little or only marginal confidence in their ability to meet core GDPR compliance requirements. Particularly problematic are requirements dealing with 1) proving compliance in an audit context, 2) generating clean and auditable records of processing activities, 3) meeting the 72-hour regulator breach notification requirement, and 4) cross border transfers.
- 20-30% of organizations also have little or only marginal confidence in their ability to respond to the new customer rights created by the GDPR. Particularly problematic are: 1) the right to be forgotten; 2) the right to data portability and be provided a machine-reading file of all personal information, and 3) the right to object to the processing of data.
- Over 30% of organizations have little or only marginal confidence that the personal information in their core content systems is under control. Shared drives, SharePoint repositories, and content lodged in third-party SaaS applications are particularly challenging.
- With regard to the right to be forgotten, only 40% of organizations have automated processes in place to delete personal information within these systems.
- 39% of organizations have no idea how much it will cost to find all of the information they have about a particular individual (to meet the right to data portability). For those who DO know, 48% believe this seemingly simple right will cost more than €5,000 per request.
- On average, companies expect 60.1 GDPR data requests in the first 12 months, with an average cost of €4,604 EACH. This means an average operating cost of over €276,700 simply to meet the core GDPR rights tied to identifying and accessing personal information.
- 60% of organizations believe the GDPR core requirements relative to website content and processes are under control – which means 40% either believe they are not or have no idea. [Author’s note: Even the 60% is likely to prove an overly optimistic number once organizations experience the complexities that are involved.]
- Organizations see the following IIM technologies as most important in their GDPR compliance efforts:
- Electronic records management and digital preservation
- Data recognition, extraction, and standardization
- Business process management
- Cloud content management
- Artificial intelligence, content analytics, and semantics
- Automated document classification and PII identification