Two years after the EU’s General Data Protection Regulation (GDPR) was first announced, a fifth (20%) of UK IT decision makers are still unaware of its existence, according to research from Trend Micro. Of those that do, almost a third (29%) don’t think that the regulation would apply to their organisation, or are unsure.
GDPR, formally adopted by the European Parliament on April 14th, will come into force in the UK in 2018 and will be applicable to European organisations as well as companies based outside of Europe who supply goods and services to European citizens. Under GDPR, failure to comply with the regulation can have a big impact on a company’s bottom line – with organisations facing fines up to 4% of their annual turnover for non-compliance. According to research, almost a fifth of companies (18%) aren’t currently aware that they may face fines, and 32% know there are fines but are unaware of what they are.
Furthermore, a quarter of companies (26%) don’t know how much time they have to become compliant. Just under a third (31%) think their organisation has within 6 to 12 months to become compliant, with over one in ten (11%) thinking they have much longer – within 2 to 3 years.
Rik Ferguson, Global VP of Security Research at Trend Micro, believes UK companies lack motivation to comply with GDPR: “As it often happens with regulation, it’s going to take a whipping boy to understand the gravity of the situation for most organisations. One high-profile case of a company handing money over for non-compliance under GDPR will be the required wake-up call the rest of the industry needs to get their act together.”
Currently, just over half of companies (55%) know about the GDPR requirements, but almost one in ten (8%) IT decision makers don’t understand what steps they need to take to become compliant. Only 22% are aware they need to hire a data protection officer and there’s also some confusion as to who is responsible for ensuring compliance. Two in five (42%) think the responsibility lies with the organisation as a whole, with a quarter (24%) thinking responsibility lies directly with the CEO.
“GDPR is formulated differently to some of the more prescriptive regulation currently in place. Instead of stating that organisations require a certain type of encryption, algorithms or end to end solutions, the GDPR is oriented at how organisations do business and how they process information and thus, by definition, it is more open to interpretation. Although that makes the regulation more difficult for companies to follow, it does mean it’s more strategic in approach, covering a period in time and encouraging businesses to think of security in a more holistic way” adds Rik Ferguson.
When asked about steps they have taken to become compliant, organisations listed increased investment in IT security and focus on employee training on data protection as key initiatives, with 44% and 42% of organisations taking those steps respectively.
When it comes to challenges that businesses face, a quarter (25%) of IT decision makers see their restricted resources to improve current processes as the biggest barrier to complying with data protection regulations. Other barriers include lack of formal process in place to notify of a data breach (21%), lack of financial resources (20%) and lack of formal process in place to enable clear identification of data location and ownership (19%).