New research has revealed that large British businesses are facing three major obstacles to EU General Data Protection Regulation (GDPR) compliance: data sprawl, a huge influx of personal customer information and uncertainty around data ownership[1]. In fact, these British businesses appear to be facing an uphill struggle to achieve GDPR compliance, with many left managing end users’ personal data across 24 different systems and a network of 48 other companies on average.

The research – commissioned by Citrix UK and carried out by One Poll – quizzed 500 IT decision-makers in companies with 250 or more employees across the UK to pinpoint the hidden obstacles still facing British businesses when it comes to GDPR compliance. The research offers a snapshot of the extent to which large UK businesses recognise ownership of customers’ personal data, how much personal data they are collecting and if they have plans in place to ensure compliance around this data.

GDPR_v1

  1. Tackling data sprawl

Surveyed UK businesses are facing a major challenge to GDPR compliance: controlling huge amounts of data across disparate systems. According to the study, while the average large UK business now uses 24 systems to manage and store personal data, one in five (21 per cent) use over 40 systems to do so.

Additionally, almost half (47 per cent) of the respondents share personal data from customers with other businesses – severely adding to data sprawl. On average, they share this data with 48 other businesses but nearly half (48 per cent) of businesses admitted to sharing this data with over 50 businesses. While the majority believe they retain complete control over this shared data, 15 per cent admit to losing at least a degree of control over data once it has been shared.

GDPR_v2

  1. Information overload

On average, large UK businesses that responded to the survey collect personal data from 577 individuals each day. However, more than one in four (26 per cent) large businesses collect personal data from over 1,000 individuals every 24 hours – creating a huge influx of data to store and manage in the enterprise.

Over half (58 per cent) of the respondents admit to storing personal data for over a year, yet a quarter (25 per cent) end up storing personal data for over five years. Despite this, two fifths (40 per cent) of respondents admitted that not all the personal data stored is actually used by the business while almost one in ten (8 per cent) admit they never use any of the personal data they store.

GDPR_v3

  1. Division on data ownership

Almost two thirds (65 per cent) of the firms surveyed store and manage personal data based on predictive analytics but, interestingly, businesses could not agree on who owned this data. Only a quarter (27 per cent) of businesses believe this data is owned by the customer while half (50 per cent) think it belongs to the organisation.

Understanding data ownership and accountability is one initial key step in the journey to GDPR compliance. So, perhaps unsurprisingly, almost two fifths (38 per cent) of respondents acknowledge that they are not ready for the GDPR, either admitting that current control access policies are insufficient to comply with the regulation or they have ‘no idea’ whether they meet the regulation’s standards. In fact, just half (52 per cent) of the large UK businesses surveyed carry out data privacy impact assessments for all or most personal data stored by the enterprise – an essential step to implementing policies which ensure data privacy.

Why GDPR is important

The GDPR will do far more than strengthen data privacy rights. The regulation will set a high bar for responsibility and accountability – and not one that every business will meet. While many British organisations are taking steps to achieve compliance in time for the May 2018 deadline, our research clearly reveals some significant obstacles, including uncontrolled data sprawl and lack of understanding around data ownership.

Ensuring data privacy processes and systems are in place – from privacy by design to privacy by default – requires an organisation to know exactly where their data is and who can access it. Yet many are losing sight of data, spread across multiple systems and shared with multiple partners, while also struggling to scale up to store and control the huge influx of personal customer data they receive today.

Businesses must recognise that more centralised application and data storage environments will make it easier to meet technical compliance goals. This centralisation can be achieved in various ways, from introducing unified access controls across on-premise and cloud services with single sign-on to rolling out centrally-managed virtual workspaces. However it is done, controlling data sprawl and recognising enterprise accountability around data privacy will be key to GDPR compliance.

Methodology

Citrix commissioned One Poll to conduct an online survey of 500 IT decision makers at companies across the UK with 250 or more employees between 22nd May and 26th May 2017.

[1] Research refers to an online survey of 500 IT decision makers at companies across the UK with 250 or more employees between 22nd May and 26th May 2017

How is Citrix addressing GDPR internally?

At Citrix, our mission is to safeguard our customers’ apps and data. As a trusted partner to the largest enterprises around the globe, Citrix takes the handling and protection of sensitive business information most seriously. Like most global companies, Citrix is doing the work necessary to fulfil the requirements of the GDPR, Citrix has a long record of data privacy and security compliance, and we will aim to be ready for the GDPR. Currently, Citrix participates in and has certified its compliance with the EU-U.S. Privacy Shield Framework. See https://www.citrix.com/about/legal/privacy/. For questions about our Privacy program and/or GDPR compliance, please contact privacy@citrix.com. To learn more about our solutions and how we help our customers stay secure and compliant, visit citrix.com/secure

Legal Disclaimer: This document provides a general overview of the EU General Data Protection Regulation (GDPR) and is not intended as and shall not be construed as legal advice. Citrix does not provide legal, accounting, or auditing advice or represent or warrant that its services or products will ensure that Customers or Channel Partners are in compliance with any law or regulation. Customers and Channel Partners are responsible for ensuring their own compliance with relevant laws and regulations, including GDPR. Customers and Channel Partners are responsible for interpreting themselves and/or obtaining advice of competent legal counsel with regard to any relevant laws and regulations applicable to them that may affect their operations and any actions they may need to take to comply with such laws and regulations.

ponemon banner