UK boardrooms aren’t treating the General Data Protection Regulation (GDPR) with the seriousness required, resulting in overconfidence when it comes to compliance.
This is the main finding of the latest research from Trend Micro, which surveyed over 1,000 IT decision makers from businesses across the globe.
The research reveals a good awareness of the principles behind GDPR, with every single UK business leader surveyed (100%) knowing that they need to comply with the regulation, and a strong majority having seen its requirements (88 per cent). In addition, nine in ten (88 per cent) British businesses are confident that their data is as secure as it can possibly be – nine points ahead of the global average of 79 per cent.
Despite this, there is some confusion over what constitutes the ‘personal data’ they need to be protecting. Of the respondents surveyed in the UK, eight in ten (79 per cent) were unaware that a customer’s date of birth is classed as personal data. To make matters worse, over half (56 per cent) of British business leaders wouldn’t class email marketing databases as personal data, dropping to three in ten (29 per cent) for a postal address, and one in ten (10 per cent) for a customer’s email address. With this data providing hackers with the grounds for identity theft, any business that isn’t protecting it correctly is at risk of a penalty fine.
While UK businesses are more confident in their defences than their peers overseas, their ability to identify personal data lags behind. In terms of the global average, six out of ten businesses (64 per cent) wouldn’t count a customer’s date of birth as personal, marking a 15-point gap behind the UK. What’s more, four out of ten (42%) wouldn’t class email marketing databases as personal data – a 14-point gap behind British business leaders.
When it comes to penalty fines, UK businesses could be in for a surprise. A staggering three-quarters (73 per cent) are unaware of the sum of the fine they could face, with only a quarter (27 per cent) recognising that between 2- 4 per cent of their annual global turnover could be sacrificed. While the global average doesn’t look bright, it’s still ahead of the UK: a third (33 per cent) are aware of the fines GDPR present. One in four UK businesses (28%) claim that a fine ‘wouldn’t bother them’, but these attitudes may change once they are aware of the true financial ramifications of a breach.
When asked what would have the biggest impact in the event of a breach, three in five UK businesses (60%) cited reputational damage, with just under half (47 per cent) claiming this would have the biggest impact amongst existing customers. One in ten (13%) feared that new business prospects would be affected, while two-fifths of businesses (39 per cent) believe the fine would have the most impact.
“The lack of knowledge demonstrated in this research by enterprises surrounding GDPR is astounding. Birth dates, email addresses, marketing databases and postal addresses are all critical customer information, and it’s concerning that so many British businesses – despite their confidence – are unaware of that,” Rik Ferguson, VP Security Research at Trend Micro commented. “If businesses aren’t protecting this data, they aren’t respecting the impending regulation – or their customers – and they definitely aren’t ready for GDPR.”
But the confusion doesn’t stop there. Trend Micro asked UK businesses who should be held accountable for the loss of EU data by a US service provider. Only a tenth (11 per cent) could correctly identify that responsibility falls to both parties, a fraction worse than the global average of a seventh (14 per cent). Three-fifths of UK businesses (63 per cent) think that the fine would go to the EU data owner, while a quarter (23 per cent) believe that only the US service provider is at fault.
Pointing the Finger
It turns out UK businesses aren’t sure who should take ownership of ensuring compliance with the regulation, either. Of those surveyed, a quarter (25 per cent) think that the CEO should be responsible for leading GDPR compliance, and just under a quarter (23 per cent) think the CISO and their security team should take the lead.
But the C-Suite isn’t meeting up to expectations. Only a fifth of UK businesses (19 per cent) have a C-level executive involved in the GDPR process, marking a 29-point gap between who businesses want to take charge, and who is actually doing so. The majority of UK businesses (61 per cent) have the IT department taking the lead, while only a tenth of businesses (10 per cent) have a board level or management member involved.
“With just nine months to go before it comes into force, GDPR should be the biggest boardroom issue of the moment. But the findings suggest it’s the elephant in the British boardroom. If organisations don’t take the regulation seriously, they could be subject to a fine that’s a significant portion of global revenue. The task for the C-Suite now is to see GDPR as a business issue rather than a security issue, before it gets to that stage.” Ferguson continued. “Preparing for GDPR is a tremendous task, from investing in state of the art technologies, to implementing data protection and notification policies. But this preparation will be redundant if businesses don’t understand what data this applies to, and which parties are responsible. There’s an industry-wide education gap here, and it needs to be addressed.”
With threats coming in every shape and form, businesses don’t just lack the expertise to combat them, but the cross generational technology required, too. GDPR states that businesses must implement state of the art technologies relative to the risks faced. Despite this, only a quarter of British businesses (25 per cent) have implemented advanced technologies to identify intruders on their network as a precaution. A quarter (27 per cent) have implemented encryption technologies, and a third (30 per cent) have invested in data leak prevention technology.
About the research
The findings are based on joint research with Opinium. Between 22 May – 28 June 2017, 1,132 online interviews were conducted with IT decision makers from businesses with 500+ employees in 11 countries, including USA, US, France, Italy, Spain, Netherlands, Germany, Poland, Sweden, Austria and Switzerland. Respondents held either C-Level, senior management or middle management decisions, and work in organisations operating in multiple sectors, including retail, financial services, public sector, media and construction.
GDPR Summit London is a dedicated event which will help businesses to prepare to meet the requirements of the GDPR ahead of May 2018 and beyond.
Further information and conference details are available at http://www.gdprsummit.london/