Security Strategy, Plan, Budget

UK far behind other European countries in regard to GDPR compliance

More than half (54 percent) of businesses in the UK have little to no understanding of the fines associated for not being compliant with GDPR.

That's according to research from Sophos in which 625 IT decision makers from the UK, France and Benelux (Belgium and Luxemburg) were asked about the impact GDPR will have on businesses in these countries.

Almost one in five (17 percent) of all businesses admitted that if fined, their business would close. This number jumps to 54 percent for small businesses with fewer than 50 people. Additionally, 39 percent of ITDMs said fines would also lead to redundancies at their business.

Many UK businesses think that Brexit may mean they no longer need to comply, with 26 percent of UK organisations admitting that since Brexit they are less clear on what they need to do to be compliant or think they won't have to comply.

Two-thirds (66 percent) of businesses in France and Benelux admit they are concerned about data security now that the UK has begun the process to leave the European Union, which shows the uncertainty and confusion caused by Brexit.

Only six percent of UK businesses view GDPR as a number one priority, while 30 percent of businesses in France and 25 percent of businesses in Benelux have made it a priority. One-fifth of UK businesses consider GDPR to be a low priority, which is much higher than in France (eight percent) and Benelux (11 percent).

Almost one in five businesses claimed to be compliant in France (19 percent) and Benelux (18 percent), while in the UK, only eight percent of businesses are currently GDPR compliant.

Only 42 percent of businesses in western Europe have created a data protection officer role, which is a much smaller number than expected. Only half of organisations have measures in place to ensure the individual whose data is being collected gives consent for data collection.

In the event of a “right to be forgotten” request or an individual objecting to the processing of their data, 44 percent of businesses have procedures in place to delete personal data.

In most businesses (70 percent), the IT or IT security team is taking responsibility for complying with GDPR. Only four percent of legal teams and 13 percent of board members or senior management are responsible for implementation.

Many ITDMs called out a lack of awareness from key decision makers as a reason for not having certain protocols in place.

Almost all businesses (98 percent) are making headway in promoting data security in the workplace by either having or currently implementing a formal plan for employees that outlines the data security policy and what is expected of them when they handle personal data.

“Getting ready for GDPR is a long process. If regulators demonstrate that they are prepared to impose the maximum fines in May 2018, then businesses will seriously regret not being prepared,” said John Shaw, vice president of product management for the enduser group at Sophos, in a release.

“With less than a year to go, 55 percent of businesses are not confident that they will be able to comply by the deadline and are understandably distracted by the need to demonstrate GDPR compliance. However, with data breaches occurring on an almost daily basis across Europe, I would argue that the top priority should actually be to reduce the risk of the data breaches.

“Reducing that risk doesn't need to be complicated – concentrate on stopping the biggest causes of data breaches by making sure the basics are in place: keep all operating systems and software up to data, implement encryption for sensitive data, and educate all employees about the risk of phishing and other social engineering attacks.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.