The GDPR compliance deadline is a week away, but only 29 per cent of companies in the Asia Pacific region will be ready, according to a new global survey by Information Systems Audit and Control Association (ISACA).
Not only are most organisations unprepared for the deadline, but only around half of the companies surveyed (51 per cent) expect to be compliant by the yearend, and 40 per cent do not know when they will be fully compliant.
The survey reveals the top five challenges related to GDPR compliance.
Cost was the sixth highest concern, at 33 per cent. About 20 per cent say it will cost under US$1 million to become GDPR compliant, with 14 per cent spending $1 million or more. Two-thirds of the business technology professionals surveyed in APAC were unsure how much their organisations would be spending.
The survey was conducted last month among 6,000 business and technology professionals who are members of ISACA.
“When protecting data, we can’t think in terms of nations - or even specific industries -anymore,” says ISACA, on the global implications of GDPR.
“The digital economy is global and borderless, and the co-mingling of industries (e.g., online retailers becoming offering financial and banking services, etc.) demonstrates that even the borders between industries are crumbling. This will not change - it will only increase.”
ISACA suggests organisations think in terms of ecosystems, that include global interrelated ecosystems of commerce, of law enforcement and of communication that are part of modern civilisation.
“If we approach data protection from the standpoint of ecosystems, our actions must focus on hardening that ecosystem, making it more robust, globally,” the report states.
“This means that it is very likely that data protection public policy measures will become the norm, globally - not the exception.
“As emerging technologies arise and their impacts are felt in data protection, those new concerns must be taken into consideration when shaping the next generation of data protection legislation and regulation.
“This also means that the stakeholder group that participates in crafting the “nextgen” version of the GDPR must be both broad and deep, encompassing as many aspects and levels of the public and private sectors, academia, and the NGO community as possible.”
"The time to prepare for a data-driven future is before it arrives— not after," notes ISACA.
ISACA says among the survey’s most concerning findings is the level of employee education on GDPR and their role in compliance.
Only 42 per cent of respondents say their organisations’ employees have been educated to a satisfactory level about their responsibilities to maintain GDPR compliance.
“Employee awareness and education are critical components of ongoing GDPR compliance,” says Dr Chris K. Dimitriadis, chair of ISACA’s GDPR Working Group.
“Awareness of - and commitment to - well-defined security, data management, and privacy policies and procedures clearly need to be an integral part of every organisation’s culture, from the top down.”
ISACA says the good news is that the majority of executive leaders in APAC recognise the importance of GDPR and its implications.
The survey finds two-thirds of respondents (66 per cent) believe their organisation’s executives have made becoming GDPR-compliant a priority.
Organisations also expect to achieve significant benefits from GDPR compliance. The top three anticipated positive outcomes are:
One of the most practical and cost-effective ways organisations can support GDPR and other compliance requirements is to help employees understand the business value of the information they deal with regularly, says Tim Upton, CEO at TITUS, which sponsored the research.
“That way, employees become more aware of their responsibilities when it comes to handling and protecting data within the flow of work, providing added value to the ways organisations earn and maintain the trust of customers and employees.”