Trend Micro Research Reveals C-level Executives Are Not Prepared for GDPR Implementation

  • Senior executives shun GDPR responsibility in 57 per cent of businesses
  • 42 per cent of businesses don’t know email marketing databases contain PII
  • 22 per cent of businesses claim a fine ‘wouldn’t bother them’ if found in violation

Auckland, September 6, 2017 – With the General Data Protection Regulation (GDPR) taking effect May 25, 2018, businesses around the globe should be preparing accordingly. However, through a recent survey, Trend Micro, a global leader in cybersecurity solutions, found that C-suite executives are not approaching the regulation with the seriousness required, resulting in overconfidence when it comes to compliance.

GDPR Awareness

The company’s research reveals a robust awareness of the principles behind GDPR, with a strong 95 per cent of business leaders knowing they need to comply with the regulation, and 85 per cent having reviewed its requirements. In addition, 79 per cent of businesses are confident that their data is as secure as it can possibly be.

Despite this perceived awareness, there is some confusion as to exactly what Personally Identifiable Information (PII) needs to be protected. Of those surveyed, 64 per cent were unaware that a customer’s date of birth constitutes as PII. Additionally, 42 per cent wouldn’t classify email marketing databases as PII, 32 per cent don’t consider physical addresses and 21 per cent don’t see a customer’s email address as PII, either. These results indicate that businesses are not as prepared or secure, as they believe themselves to be. Regardless, this data provides hackers with all they need to commit identity theft, and any business not properly protecting this information is at risk of a penalty fine.

The global findings are aligned to a survey conducted at Trend Micro’s CLOUDSEC conference in Sydney in August. Although more than half (56 per cent) agree that they will be impacted by the mandatory data breach notification scheme set to be in place from early 2018, and they either already have a process in place, or are working on a formal process. Surprisingly, as many as 16 per cent don’t believe they will be impacted by the scheme, and more than a quarter (28 per cent) admit they only have an informal process in place, or no process at all for risk management and cloud security within their organisation.

Indi Siriniwasa, Managing Director - Enterprise & Government, Trend Micro ANZ, said that it is concerning that so many Australian organisations are not prepared for the new legislation, or are of the belief that they won’t be affected. “It has never been more important for organisations to make cybersecurity a key priority, and protect the interests of their customers against cybersecurity attacks. Not only is this a security and prevention issue, but it can also have a disastrous impact on both brand and reputation” said Siriniwasa.

The Cost of Not Being Compliant

According to the global survey, a staggering 66 per cent of respondents appear to be dismissive of the amount they could be fined without the required security protections in place. Only 33 per cent recognise that up to four per cent of their annual turnover could be sacrificed. Additionally, 66 per cent of businesses believe reputation and brand equity damage is the biggest pitfall in the event of a breach, with 46 per cent of respondents claiming this would have the largest affect amongst existing customers. These attitudes are especially alarming considering businesses could be shut down in the event of a breach.

Responsible Parties

Trend Micro also learned that businesses are uncertain as to who is held accountable for the loss of EU data by a U.S. service provider. Only 14 per cent could correctly identify that the loss of data is the responsibility of both parties – 51 per cent believing the fine goes to the EU data owner, while 24 per cent think the US service provider is at fault.

In addition, it turns out businesses aren’t sure who should take ownership of ensuring compliance with the regulation, either. Of those surveyed, 31 per cent believe the CEO is responsible for leading GDPR compliance, whereas 27 per cent think the CISO and their security team should take the lead. However, only 21 per cent of those businesses actually have a senior executive involved in the GDPR process. Meanwhile, 65 per cent have the IT department taking the lead, while only 22 per cent have a board level or management member involved.

“Increasingly, cybersecurity is being addressed by executives at board level which has been triggered mainly by the widespread awareness around the financial and reputational threat that outbreaks such as WannaCry and Petya have had on organisations around the world. It’s important for key decision makers including board executives to take shared responsibility to drive much needed industry change,” added Siriniwasa.

The Technology Required

With threats growing in sophistication, businesses often lack the expertise to combat them, and layered data protection technology is required. GDPR mandates that businesses must implement state-of-the-art technologies relative to the risks faced. Despite this, only 34 per cent of businesses have implemented advanced capabilities to identify intruders, 33 per cent have invested in data leak prevention technology and 31 per cent have employed encryption technologies.

The Research

For more information about Trend Micro’s findings on the pulse of business leaders regarding GDPR, check out the infographic and supplemental blog post. In partnership with Opinium, Trend Micro conducted its survey between May 22 and June 28, 2017. The preceding results are gleaned from 1,132 online interviews with IT decision makers from businesses with 500+ employees in 11 countries, including United States of America (USA), United Kingdom (UK), France, Italy, Spain, Netherlands, Germany, Poland, Sweden, Austria and Switzerland. Respondents of the survey hold either senior executive, senior management or middle management positions in multiple industries including retail, financial services, public sector, media and construction.

The Trend Micro CLOUDSEC Sydney survey was conducted in August at Sydney CLOUDSEC 2017, attended by more than 1000 IT executives. Live results can be viewed here.

About Trend Micro

Trend Micro Incorporated, a global leader in cybersecurity solutions, helps to make the world safe for exchanging digital information. Our innovative solutions for consumers, businesses, and governments provide layered security for data centres, cloud environments, networks and endpoints. All our products work together to seamlessly share threat intelligence and provide a connected threat defense with centralised visibility and control, enabling better, faster protection. With more than 5,000 employees in over 50 countries and the world’s most advanced global threat intelligence, Trend Micro enables organisations to secure their journey to the cloud. For more information, visit