Recent research revealed a startling gap in security awareness among U.S. business leaders. According to an NTT Security report, “Business Security: Always a Journey, Never a Destination,” three-quarters of non-IT leaders at U.S. firms believe that the European Union’s (EU) upcoming General Data Protection Regulation (GDPR) does not apply to them.

But the problem is not confined to the U.S. The study found that business leaders in Hong Kong (29 percent), Australia (26 percent) and Singapore (33 percent) also lacked awareness of the law and its impact on any organization that houses data collected from EU subjects.

The study involved workers in the U.S., U.K., Germany, Austria, Switzerland, France, Sweden, Norway, Hong Kong, Australia and Singapore. Thirty-five percent of the respondents were C-level executives.

Lack of Awareness Stymies GDPR Preparedness

The GDPR will kick in on May 25, 2018. The regulation will govern how organizations handle data breaches and store personally identifiable information (PII). For example, data cannot be exported from the EU without special handling or transmitted to a third party without explicit user consent.

To comply with the GDPR, a company must know where its data is being stored and who can access it. Unfortunately, the NTT Security study found that one-third of employees had no idea where data resides, and pointed to the need for immediate training on the subject. Of the two-thirds of employees who knew where data was stored, less than half understood how the regulation would affect it.

“While the GDPR is a European data protection initiative, the impact will be felt right across the world for anyone who collects or retains personally identifiable data from any individual in Europe,” said Garry Sidaway, senior vice president at NTT Security, in a news release. “Our report clearly indicates that a significant number do not yet have it on their radar or are ignoring it.”

Incident Response Adjustments

Security leaders must also make adjustments to their incident response strategies to maintain compliance with the GDPR. In the event of a data breach, for example, the regulation requires security teams to report the incident to the appropriate EU regulator within 72 hours, SecurityWeek reported.

An incident response plan, which was fully understood by less than half of the survey’s respondents, extends far beyond the IT and security departments. Each part of the business must know its responsibilities and how to deal with them should a security event arise, or risk facing the consequences of the GDPR.