More than half of organisations subject to GDPR collect more data than the regulation permits, a study has found

A Data Risk and Security report released by the security software company Netwrix has revealed that companies are failing to follow GDPR and security best practices. The survey of just over a thousand respondents revealed that security professionals are often bypassing many of the six stages of the data lifecycle. While security issues are mitigated at some stages, many important stages are being overlooked, resulting in vulnerable systems.

The data storage stage proved to be the most challenging stage for ensuring data protection, according to the report. A quarter of organisations reported discovering data outside of secure locations. It took 43% of these companies several days to discover the incident and 23% of these companies several weeks. These statistics contradict the finding that 91% of organisations surveyed claim their sensitive data is stored securely.

According to the report, almost two thirds of companies subject to the GDPR exceed data collection limits outlined in law. About half of organisations ignore the security practice of reviewing access rights to data on a regular basis.

Classification of data by design and default significantly speeds up DSAR processes, according to the survey. Companies that do this spend an average of three hours on each DSAR which is eleven times faster than those who do not classify their data at creation. Additionally, those without classification processes spend an increase of 50-74% on cost for managing DSARs, compared to a less than 24% increase for those who classify their data.

Thirty percent of organisations that do not have a data classification process never get rid of redundant, obsolete, and trivial (ROT) data, compared to just 6% of those who have data classification processes in place.

A more positive statistic shows that all organisations that have hired a chief data officer (CDO) have implemented data discovery and classification processes.

Additionally, the report shows that in general, companies have a lack of knowledge about the data they collect. Little is understood about who has access to it, where data is kept and how sensitive it is. The report ruled that both factors prevent companies from obtaining efficient data security.


The largest data protection, privacy and security event of 2020, now available on-demand!

Featuring four whole days of keynote sessions, panel debates, and an opportunity to network and chew over all things data-related through discussions in public boards and virtual booths, PrivSec Global is now available to watch on-demand.

You can access the content from all four days, by registering for access to our PrivSec Global platform below.

Learn More and Register

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.