Netskope, the leader in cloud security, today announced the release of a survey that found six in 10 UK adults have never even heard of the EU General Data Protection Regulation (GDPR).
The independent survey of 2,000 British adults offers a snapshot of current understanding of the GDPR amongst adults of working age, and the extent to which employers have already informed staff about the regulation. The survey also asked respondents to state the maximum fine possible under the GDPR.
Failure to educate staff on regulation
Asked the question of whether they were aware of the GDPR, fewer than one in 10 respondents (9.6 per cent) claimed to have a detailed knowledge of the regulation, with six in 10 (62.9 per cent) saying they had never heard of it. A further 14.1 per cent had heard of the regulation but did not know what it was. 13.4 per cent said they had some general understanding of the GDPR.
When asked if their employer had informed them about the GDPR and its effect on working processes, seven in 10 employees (70.4 per cent) said that they hadn’t been told anything about the GDPR yet by their employers. A further 8.6 per cent said it had been mentioned but that they were unsure of the details of the regulation, and only one in five (21.0 per cent) said they’d been offered “plenty” of information about the GDPR.
Understanding the financial implications for non-compliance
Finally, when asked to state the maximum fine possible for a company found to have breached the regulation and infringed upon data subjects’ rights in the process, just 1 per cent of respondents were able to accurately pinpoint the correct maximum fine – 20 million euros or 4 per cent of annual worldwide turnover (whichever is larger). One in five UK office workers (21.4 per cent) thought the maximum fine would be between 1 and 1000 euros – underestimating the sum by a factor of 20,000. One in 10 (9.6 per cent) thought the maximum fine was 1 million euros – a sum representing a mere 5 per cent of the maximum fine under the GDPR.
In 2016, TalkTalk was issued with a £400,000 fine by the ICO for security failings that allowed a cyber attacker to access customer data “with ease”. Even if translated into a lower tier GDPR fine (the higher of 2% of annual worldwide turnover or 10 million euros), this fine would have increased to £3,676,000 – demonstrating the extent of the financial incentive for businesses to tackle GDPR compliance.
Commenting on these findings, André Stewart, VP EMEA, Netskope, said:
“These findings show that organisations have a lot of work to do in order to educate employees on the GDPR and the safe data handling behaviour needed to achieve compliance. With seven in 10 UK adults yet to be educated about the GDPR by their employers, it’s possible that many employers are either unaware of the importance of coaching staff or they are not yet making the GDPR a high priority. Unfortunately, both approaches are misguided and leave companies open to GDPR compliance breaches – and massive potential fines as a result.
Stewart continued: “If employees haven’t been taught what security best practice looks like, they can’t do their everyday jobs securely and that presents a major risk to the organisation. Employers will need to show that they have trained their employees on the GDPR to achieve compliance. The amount of effort put into coaching employees on secure data handling is likely to be one of the questions regulators ask when deciding whether to penalise organisations. This means that coaching is essential to limit the risk of a breach in the first place, and then again to limit the extent of any potential penalty. Alongside coaching, employees will also need the tools to do their jobs securely without sacrificing ease and convenience, so ensuring the secure use of cloud services will be a fundamental piece of the compliance puzzle.”
Majority of cloud services still not GDPR ready
On average, IT estimates there are 40-50 cloud services in use in their organisation. However, the January 2017 Netskope Cloud Report found that the average number of cloud services in use per enterprise in EMEA now stands at 845. 66 per cent of all cloud services were judged to fall short of the standards required under the GDPR, meaning that they lack the proper residency, privacy, and security controls required for compliance – or were not close enough to the required standard to be considered capable of achieving compliance by the May 2018 deadline.
Drilling further into the Netskope Cloud Report data shows that 82 per cent of cloud services do not encrypt data at rest, 66 per cent do not specify that their customers own the data in their terms of service, and 42 per cent do not allow admins to enforce password controls.