Most UK businesses are still not GDPR compliant
Despite the having taken effect more than a year ago, a 'good enough' approach is taking over
More than half of UK businesses are still not GDPR compliant over a year since the legislation came into force, according to a report from Egress.
Although nearly all businesses that responded to the survey (96%) said they had invested in GDPR compliance over the past 12 months, the majority are still leaving themselves open to debilitating fines.
Of the 52% that said they were non-compliant, 42% of them said they were "mostly compliant" with the data protection laws that came into effect in May 2018 under the Data Protection Act 2018.
"The fact they are not yet over the line demonstrates a loss of focus on achieving the necessary standard," read the report. "This is supported by the fact that more than one-third (35%) said GDPR compliance has become less of a priority in the past 12 months.
"Even the ICO's announcement of its intention to issue multimillion-pound fines to BA and Marriott Hotels has not reignited urgency; only 6% of respondents said it had shocked their business back into awareness."
The understanding that GDPR has been the catalyst in the "unprecedented" fourfold increase in data breach reports since its implementation was echoed in the report which revealed 37% of GDPR decision-makers were obliged to report a breach to the ICO in the past 12 months.
The fines that can be dished out as a result of a breach may scare some, but that isn't reflected in the survey of UK GDPR decision-makers. A large majority of respondents (70%) were positive about GDPR, proactively protecting the data it holds. Although a portion of these may not be proactively protecting data to a lawful extent, 62% said their organisation had made GDPR a priority of the past year.
"Since the rush to meet last May's deadline, we now appear to be seeing an 'almost compliant is close enough' attitude towards GDPR, with a significant percentage of decision-makers indicating that focus has waned in the past 12 months," said Tony Pepper, CEO at Egress.
Going forward, investment in GDPR is shifting towards new processes around the handling of sensitive data 28% said this was the biggest area of investment since they started implementing GDPR-ready protection.
"It's positive to see that almost one-fifth (17%) of respondents are looking to technology as a way to mitigate breaches, but they must ensure these solutions tackle human error as the root causes of many of these incidents," said Pepper.
"They must look to the latest advances in security and DLP technology that can map a user's behaviour to prevent the array of mistakes that put data at risk from falling for phishing attacks that can lead to malware infections or stolen credentials, to misdirecting emails or attaching the wrong documents.
"GDPR is here to stay, and we're only going to see more companies penalised for data breaches unless we're able to overcome these issues."