UK boardrooms aren’t treating the General Data Protection Regulation (GDPR) with the seriousness required, resulting in overconfidence when it comes to compliance. This is the main finding of the latest research from Trend Micro, which surveyed over 1,000 IT decision makers from businesses across the globe.[1]
The research reveals a good awareness of the principles behind GDPR, with every single UK business leader surveyed (100%) knowing that they need to comply with the regulation, and a strong majority having seen its requirements (88%)[2]. In addition, nine in ten (88%) British businesses are confident that their data is as secure as it can possibly be – nine points ahead of the global average of 79%.
Despite this, there is some confusion over what constitutes the ‘personal data’ they need to be protecting. Of the respondents surveyed in the UK, eight in ten (79%) were unaware that a customer’s date of birth is classed as personal data. To make matters worse, over half (56%) of British business leaders wouldn’t class email marketing databases as personal data, dropping to three in ten (29%) for a postal address, and one in ten (10%) for a customer’s email address. With this data providing hackers with the grounds for identity theft, any business that isn’t protecting it correctly is at risk of a penalty fine.
While UK businesses are more confident in their defences than their peers overseas, their ability to identify personal data lags behind. In terms of the global average, six out of ten businesses (64%) wouldn’t count a customer’s date of birth as personal, marking a 15-point gap behind the UK. What’s more, four out of ten (42%) wouldn’t class email marketing databases as personal data – a 14-point gap behind British business leaders.
When it comes to penalty fines, UK businesses could be in for a surprise. A staggering three quarters (73%) are unaware of the sum of the fine they could face, with only a quarter (27%) recognising that between 2- 4% of their annual global turnover could be sacrificed. While the global average doesn’t look bright, it’s still ahead of the UK: a third (33%) are aware of the fines GDPR present. One in four UK businesses (28%) claim that a fine ‘wouldn’t bother them’, but these attitudes may change once they are aware of the true financial ramifications of a breach.
When asked what would have the biggest impact in the event of a breach, three in five UK businesses (60%) cited reputational damage, with just under half (47%) claiming this would have the biggest impact amongst existing customers. One in ten (13%) feared that new business prospects would be affected, while two fifths of businesses (39%) believe the fine would have the most impact.
“The lack of knowledge demonstrated in this research by enterprises surrounding GDPR is astounding. Birth dates, email addresses, marketing databases and postal addresses are all critical customer information, and it’s concerning that so many British businesses – despite their confidence – are unaware of that,” Rik Ferguson, VP Security Research at Trend Micro commented. “If businesses aren’t protecting this data, they aren’t respecting the impending regulation – or their customers – and they definitely aren’t ready for GDPR.”
But the confusion doesn’t stop there. Trend Micro asked UK businesses who should be held accountable for the loss of EU data by a US service provider. Only a tenth (11%) could correctly identify that responsibility falls to both parties, a fraction worse than the global average of a seventh (14%). Three fifths of UK businesses (63%) think that the fine would go to the EU data owner, while a quarter (23%) believe that only the US service provider is at fault
[1] ITDMs from businesses with 500+ employees in 11 countries, including USA, US, France, Italy, Spain, Netherlands, Germany, Poland, Sweden, Austria and Switzerland. 102 decision makers were surveyed in the UK.
[2] ITDMs from 102 UK businesses with 500+ employees
