Maren Winter - stock.adobe.com
GDPR non-compliance worse than feared
Over half of UK businesses do not yet appear to be fully GDPR-compliant, and many have de-prioritised their compliance efforts
As the European Union General Data Protection Regulation (GDPR) legislation nears its 18 month anniversary, research by security software supplier Egress has suggested that 52% of UK businesses are not fully compliant with the rules, opening the door to severe penalties if they fall victim to a data breach.
Egress – which polled 250 decision makers, split a third each way between small businesses, medium-sized businesses, and large enterprises – reported that only 48% were fully compliant, and 42% “mostly” compliant.
If other, similar reports are accurate, this could suggest that non-compliance with GDPR is not only more widespread than thought, but in some cases, levels of compliance are being obfuscated by security professionals. In July 2019, two separate surveys – one by audit and tax consultancy RSM and the other by data virtualisation firm Delphix – found that 30% of European businesses were not confident they were compliant, and that some businesses were giving their leadership cause to believe they were compliant when this was not necessarily true.
Over a third of respondents to Egress’ survey also said that GDPR had become “less of a priority” for them in the past 12 months. Most of them said the majority of their compliance activity had taken place in the lead up to the May 2018 deadline and thereafter had dropped off the priority list.
This was in spite of the first big fines being handed down by the Information Commissioner’s Office (ICO) against British Airways and Marriott. Only 6% said these high-profile incidents had shocked them back towards greater awareness. “We now appear to be seeing an ‘almost compliant is close enough’ attitude towards GDPR, with a significant percentage of decision-makers indicating that focus has waned in the past 12 months,” said Tony Pepper, CEO of Egress.
“The wait of more than year between implementation and the first action taken by the ICO under GDPR seemed to lead to a perception outside the security industry that the regulation was ‘all bark and no bite’.
“Although the authority’s announcement that it intends to fine British Airways and Marriott such staggering sums sent shockwaves through the security community, it is concerning that only 6% of organisations have taken action to avoid the full potential of the legislation.”
Read more about GDPR compliance
- Could attracting new clients and retaining existing ones by being able to leverage GDPR compliance in marketing terms be viewed as a benefit?
- Many enterprises are reflecting that a simplistic tick-box approach to compliance, with GDPR specifically and regulatory requirements generally, has failed to gain potential benefits.
- The introduction of the GDPR has certainly coincided with – if not provoked – an upward trend of individuals becoming more zealous about their right to privacy.
Where investment in GDPR compliance was taking place, Egress revealed that the greatest area of investment in the past 12 months was around the implementation of new processes to govern the handling of sensitive data, but even then this was only cited by 28% of respondents.
Other areas named as top spending priorities included the auditing of what data is collected and why (18%), the employment of dedicated data protection officers (also 18%), new cybersecurity technology (17%), and user education and training (just 7%).
In spite of this, over a third of respondents said they had reported at least one GDPR breach to the ICO in the past 12 months – 60% of them likely to be caused simply by human error, according to the ICO itself.
“Clearly strategies need to shift if we are going to turn the tide against data breaches.” said Pepper. “Reliance on people to follow processes and protect data is only going to get organisations so far.”
“People are always going to make mistakes or behave unexpectedly, and more must be done to provide a safety net that protects sensitive information.”