The deadline to meet the requirements of the European General Data Protection Regulation (GDPR) is fast approaching and many companies are still scrambling to make their businesses compliant.
About two thirds of the 745 executives across 19 countries surveyed by accountancy firm Ernst & Young at the start of the year did not have a plan for the GDPR which becomes EU law on Friday May 25. It suggests that the rush to meet the complex new data law’s requirements could carry on throughout the year and beyond.
When a similar data protection law – the Dutch Personal Data Protection Act – was introduced in the Netherlands in January 2016, there were more than 1,000 breaches in the first 100 days.
The GDPR, which requires companies to prove they understand where data is held and who has access to it does not just apply to EU businesses but to any company holding European data. It is essentially global in reach.
|Key requirements under GDPR:|
|Increased rights for data subjects, the right to “be forgotten” and data portability|
|Software developed with security in mind (privacy by design and by default)|
|Pseudonymisation or encryption of personal data|
|Secure processing of data|
The penalties for non-compliance are considerable, with fines up to €20bn or 4% of revenue, whichever is higher.
IT spending spike
The resultant spike in global IT spending should provide a shot in the arm for a raft of companies in the field of vulnerability management, security analytics, identity and data protection technologies and storage software over the coming months.
“We believe there could be an upsurge in demand for cyber security products,” said Harriet Parker, investment manager, at Liontrust Asset Management.
The prospects for companies involved in protecting personal or corporate data from theft has also been boosted by a raft of recent high-profile breaches that have fuelled concerns about how personal data is managed.
“Many organisations have allocated additional spending to comply with GDPR and a good proportion of this money looks set to be channelled towards external advisory services, benefiting companies with greater involvement in this area,” she said.
Initial research last year showed corporate disclosure on this issue was limited suggesting that smaller companies with fewer resources could be at significant risk given the potential fines and loss of consumer trust.
Software firms benefit
A broad range of businesses stand to benefit from the shift – including vendors, master data management companies and larger systems integrators and consultants – that have with a high percentage of revenues coming from products exposed to digital security growth.
Current holdings with exposure to this include pure-play security software providers such as Sophos in the UK and Splunk in the US, Parker said.
Sophos provides information technology security and data protection products, offering protection against viruses, malware, spyware, intrusions, unwanted applications, spam, policy abuse and data leakage.
Splunk develops web-based application software that collects and analyses data generated by websites, applications, servers, networks and mobile devices and its products can be used alongside traditional digital security products to better assess threats, incidents and responses.