Companies aren’t ready for new data protection regulations: Survey

Many companies are unprepared for new European regulations that will require higher standards of data protection, according to a survey from cybersecurity firm Symantec.

The European General Data Protection Regulation (GDPR) will come into effect in May 2018 and require companies to introduce strong security to protect data and clear accountability so that firms may be held accountable if they were negligent.

Breaching the provisions of the GDPR could lead to fines of up to 20 million euros ($22 million) or 4 percent of global annual turnover, whichever is higher. However, Sian John, chief strategist for EMEA at Symantec, said fines are unlikely to start off that high.

"Most of what (the GDPR) requires from businesses isn't technical," she explained to CNBC in a phone interview. "95 percent of the regulation is about how to run the organisation procedurally, how to take privacy seriously and protect the sensitive personal data of customers and employees."

boschettophotography | Getty Images

But many European businesses could be behind with their preparations. Symantec's State of European Data Privacy Survey, published Tuesday, found that 96 percent of companies do not fully understand the GDPR, based on an online survey of 900 business and I.T. decision makers in the U.K., France and Germany.

Of more concern, 23 percent said their organisation would not be fully compliant when the regulation comes into effect. Of this group, 20 percent felt it was not possible for their company to become fully compliant.

"Whether companies will successfully navigate the GDPR regulation hinges on their willingness to embrace privacy by design," said Peter Gooch, cyber risk partner at Deloitte, in a press release.

"They must also understand that good security and privacy processes can provide a substantial competitive advantage and be a driver in gaining consumer trust, in addition to being driven by regulatory requirements."

One big change in the new regulations will mean companies must ensure they have consent to use personal data.

"One of the big changes between the directive (on the protection of personal data) and the regulation is in the directive you could have implied consent," John said. "Now you have to get explicit consent for every use you make of personal data."

This could create issues for marketing companies, or firms looking to create new products like a loyalty scheme, as they will need explicit consent from European residents to use their personal data, even if they've already collected it.

"It's about giving power to the consumer… to know how their data is being used."

But the core purpose of the regulations, according to John, is to ensure good data governance and make sure that firms collect, manage and protect data appropriately.

"It's a real opportunity (for businesses) to do the things you should have always done," she added. "If you sort out knowing where your data is and what control you've got in your organisation, you'll probably get more value out of it and maybe won't keep stuff you don't need anymore."

Follow CNBC International on Twitter and Facebook.

Correction: This article has been updated to state that Sian John, chief strategist for EMEA at Symantec, believes that GDPR fines would not start at 20 million euros ($22 million).