The EU’s General Data Protection Regulation (GDPR) is just 10 weeks away but many organisations are not doing all they can to protect data privacy – and some are even missing out on opportunities through fear of collecting too much data. A PwC survey on data security found that almost half of the survey's respondents (9,500 senior business and technology executives from 122 countries) say their organisation limits collection, retention, and access of personal information to the minimum necessary to accomplish the legitimate purpose for which it is collected. Some of the figures from the survey include:

• only 51 per cent of executives have an accurate inventory of employee and customer personal data;
• 53 per cent conduct compliance audits of third parties who handle customer and employee data;
• 48 per cent say advanced authentication has helped reduce fraud; 46 per cent plan to boost investment in this area in 2018;
• only 31 per cent say corporate board directly participates in a review of current security and privacy risks; and
• 32 per cent of respondents had started a GDPR assessment in 2017.

Opportunities in GDPR

Companies are also falling short when it comes to protecting customer and employee data handled by third parties – fewer than half conduct compliance audits to ensure they have the capacity to protect such information and the same number (only 46 per cent) say their organisation requires third parties to comply with their privacy policies.

And businesses in Europe and the Middle East generally lag behind those in Asia, North America, and South America in developing an overall information security strategy and implementing data-use governance practices.

PwC's Sean Joyce commented: “Using data in more innovative ways opens the door to both more opportunities and more risks. There are very few companies that are building cyber and privacy risk management into their digital transformation. Understanding the most common risks, including lack of awareness about data collection and retention activities, is a starting point for developing a data-use governance framework.”

What is the NIS directive?

But GDPR isn't the only EU directive on the horizon that will have a profound impact on how companies handle data security. The EU’s Directive on Security of Network and Information Systems (NIS directive), which aims to boost cyber resilience, also goes into effect in May 2018. PwC explains that businesses identified by member states as operators of essential services (critical infrastructure), as well as digital service providers (search engines, cloud computing services and online marketplaces), face new requirements under the directive for security and for reporting incidents to national authorities. As with GDPR, companies could face serious consequences for noncompliance. PwC's Grant Waterfall said: “CEOs should see GDPR and the NIS directive not as compliance drills but rather as strategic opportunities to align their business for success in a data-driven world. In addition, companies should be reaching out to regulators to build relationships and lines of communication before compliance deadlines arrive.”