General Data Protection Regulation (GDPR): 25% of employees storing data in public without permission
Even HR is breaking the rules, using public cloud services without the organisation's permission
Businesses are putting themselves in the firing line for big fines if they don't comply with GDPR guidelines, Sharp has revealed, with almost a quarter of employees storing confidential information on the public cloud, even if their organisation hasn't sanctioned it.
In fact, one in 12 employees are able to access information they shouldn't be able to view, putting both customers and the company at risk of data leaks. The problem has been amplified because such a large proportion of the workforce is now able to work remotely, Sharp said in its report.
"It is up to businesses to find the right balance between modern ways of working and secure data sharing. When you also consider that 75% of employees access work documents on the go, businesses need to do more to keep up with their workers," Stuart Sykes, managing director at Sharp Business Systems, said.
The company added that almost a quarter of employees are using public file sharing sites without the permission of the business and a third are taking work home to finish, without getting approval from their managers to take data off-premises.
Even HR are breaking the rules, Sharp said, despite them being the department usually setting boundaries. 30% of HR managers said they had stored information in the public cloud, despite knowing the risks.
Security and privacy expert Dr Karen Renaud said that the results showed a need for businesses to provide better support for employees: "As long as businesses continue to require or implicitly overlook insecure behaviours, security will always be sacrificed."
05/07/2017: Councils are 'seriously unprepared' for GDPR
The General Data Protection Regulation (GDPR) will give people more control over their personal information when it is passed into law in 2018, superseding the UK's outdated Data Protection Act, which was drafted in the 1990s.
The regulation requires no special legislation to come into force in the UK, making the two-year countdown a hard deadline for companies to get into shape for.
GDPR changes the concept of personal data, expanding its definition to include people's IP addresses and online identifiers, as well as forcing companies to gain people's explicit consent to use their data.
It aims to make it easier for citizens to find out what data companies hold on them, and giving them more details about how their data is handled and what it is used for.
People will also have a right to port all their data from one company to another, and to know when their data has been hacked, as well as the right to be forgotten, which will require companies to delete people's personal data when asked to.
These new rules represent dramatic changes to the way businesses are required to handle data, and the consequences for failing to look after such information properly can be drastic.
Any company that suffers a data breach will face a fine of up to 20 million or four per cent of their annual global turnover, compared to a maximum existing penalty of 500,000.
The vast majority of councils in the UK have not yet allocated budget towards meeting the various requirements of the General Data Protection Regulation (GDPR).
With the regulations coming into force in May 2018, 82% have not earmarked money to deal with implementing the EU data protection rules, which come into force on 25 May 2018. The information came to light following a freedom of information (FoI) request by M-Files Corporation.
The company sent FoI requests to all 32 London boroughs and 44 other local authorities throughout the country, asking councils about their GDPR preparedness.
It found that 76% of London councils have not yet allocated budget towards making provisions to ensure compliance with GDPR, with the same figure for the rest of the country standing at 89% (averaging 82%). Additionally, 56% of the local authorities contacted have still not appointed a data protection officer, despite this being stipulated as a requirement by GDPR for public bodies.
Julian Cook, vice president of UK Business at M-Files, said that the finding point to a "serious lack of awareness" of the importance of GDPR and the challenges it will pose for local government.
"At this stage, we would have expected local authorities to be further along in their preparation efforts, but the data demonstrate that this is far from the case," he said. "Inadequate preparation for GDPR will have serious financial implications if these boroughs ultimately do not comply with the new rules."
He added that local authorities face a constant struggle to manage a series of diverse responsibilities, often having to work with limited budget and resources.
"Effective data management is often one of the most labour-intensive of these challenges, with local authorities tasked with administering and protecting ever-increasing amounts of sensitive data, such as personally identifiable information (PII)," added Cook.
In This Article
Four cyber security essentials that your board of directors wants to know
The insights to help you deliver what they needDownload now
Data: A resource much too valuable to leave unprotected
Protect your data to protect your companyDownload now
Improving cyber security for remote working
13 recommendations for security from any locationDownload now
Why CEOS should care about the move to SAP S/4HANA
And how they can accelerate business valueDownload now