The UK Government has released a survey looking into the challenges of GDPR faced by businesses and charities, as well as the approaches they are taking to tackle them. By conducting the survey, the government is aiming to determine where it can work with industries to provide support.
Arriving at a critical point in the history of cybersecurity, 2018 is positioned to be an important year. A core reason for this is the fast approach of GDPR, with the long awaited EU regulation set to come into force on the 25th of May this year.
GDPR has been a central theme throughout the tech industry reaction to the government survey, with more than one expressing deep concern at the shockingly high percentage of organisations that state they have not even heard of the important data protection regulation.
Most worryingly of all, a colossal 38 per cent of businesses and 44 per cent of charities said they have not even heard of GDPR.
In addition to this just over a quarter said that they have made changes to work toward compliance in the run up to the arrival of the regulation. Just under a half of businesses and just over a third of charities said that the changes they made relate to cybersecurity practices.
Penalties on offer for failing to comply are serious, promising a painful fine of up to four per cent of an organisation’s annual turnover, a hit that could be devastating for some.
Data Protection goes well beyond GDPR
Lorena Marciano, EMEAR Data Protection & Privacy Officer, Cisco, said: “Today’s survey is a great first step in highlighting what government needs to do to ensure British businesses are GDPR compliant. However, data protection goes well beyond GDPR. If the global cyberattacks that dominated the headlines in 2017 didn’t make business leaders sit up and take notice, increasing customer concern that products don’t have the appropriate privacy protection, combined with the huge fines attached to non-compliance, will force them to do so.”
Businesses could be in for a nasty surprise
Rashmi Knowles, Field CTO of RSA, said: “It’s worrying that 62% of businesses say they haven’t even heard of GDPR, given that non-compliance could result in fines of up to €20m or 4% of overall turnover. These businesses could be in for a nasty surprise when the legislation comes into effect in May.”
“Even worse is that, of those who are aware, only 27% are making any changes to how they operate to meet their GDPR obligations. And more than half of that 27% haven’t included changes to their cyber-security practices. Shockingly, this means that overall, only one in twenty businesses is adapting their cyber-security processes in light of GDPR.”
Crucial that organisations invest appropriately
Darren Anstee, Chief Technology Officer, NETSCOUT Arbor, said: “Gaining a good understanding of GDPR is still a work-in-progress for many organisations – and it’s important to consider the impact mishandled data might have on the organisation itself, customers and employees. It is concerning that at this late stage only 80% of large businesses are aware of the regulation.”
“The fact that creating and changing policies in order to comply with the new GDPR legislation is the most common change made by business and charities alike is both good and bad. On the one hand organisations have obviously taken on board the process and policy changes they need to comply, however the low percentage shown around other types of change may indicate that the focus has been purely around compliance, rather than looking at the aim of the legislation – to improve the way people’s data is acquired, processed, stored and secured.”
“While some changes may incur additional costs to businesses, others may reduce overall costs, such as the unification of regulation. The impact of data-breaches to both business and the end-user can be significant and, ultimately, it is crucial that organisations invest appropriately to protect themselves and their customers.”
Remember to protect email archives
Ross Jackson, Vice President of Customer Transformation & Innovation at Mimecast, said: “Understanding the data your organisation holds is key for achieving full compliance. For example, email archives can be a forgotten, but surprisingly data-rich aspect of every business.”
“Nearly all company information, be it employee, business or customer related passes through email at some point, sitting idly in an inbox or archived for future reference. A compromised email server is near-equal to a compromised business server.”
Organisations have an obligation to protect data
Sarah Armstrong-Smith, Head Continuity & Resilience at Fujitsu UK & Ireland, said: “It is concerning to see that less than two-fifths (38%) of businesses have heard of the General Data Protection Regulation (GDPR). Especially when recent attacks have revealed the potential cost of suffering a major security breach is enormous and the threats that we face are only increasing.”
“What’s more, with our latest report revealing that a fifth of the UK public believe cybercrime and hacking are the biggest challenges facing the UK today (above global economic uncertainty and the skills gap), each organisation has an obligation to make data protection as much of a priority as the public, who are regularly asked to hand over financial and other personal data.”
This article is from the CBROnline archive: some formatting and images may not be present.