General Data Protection Regulation (GDPR): 25% of employees storing data in public without permission

Even HR is breaking the rules, using public cloud services without the organisation's permission

19/06/2017: 23% of small UK firms haven't started preparations for GDPR

Nearly a quarter of small UK businesses still haven't started preparing for data protection rules that are less than a year away, according to a survey.

Around one in 10 enterprises with 500 or more employees are in the same position, NetApp's survey of 253 CIOs and IT leaders in the UK found.

The EU's General Data Protection Regulation (GDPR) will apply in the UK from 25 May 2018, and will introduce stringent new measures designed to give EU citizens more control over how organisations use their personal information.

Advertisement - Article continues below
Advertisement - Article continues below

Tough fines will apply to organisations that breach the law, with firms facing penalties of up to 4% of their annual turnover or 20 million, whichever is greater.

NetApp's research found that the major issue seems to be a lack of understanding and awareness, with only 7% of small business respondents saying they fully understand the rules, and 14% admitting they don't even know what GDPR is.

With only 19% of small business IT decision makers and CIOs claiming to be totally prepared for the legislation deadline, compared with 34% of larger business respondents, smaller businesses could fare worse under the new regulation's heavy fines, NetApp said.

Marketing manager Martin Warren said: "The risks of non-compliance for a smaller business could be catastrophic -- by virtue of size, they are even more vulnerable to the hefty fines for non-compliance."

But a solid 28% of small business respondents said they have 'a good understanding' of GDPR, a figure higher than those from both medium (27%) and larger businesses (21%).16/06/2017: Just 6% of UK firms regard GDPR compliance as a priority

UK companies are lagging behind France in preparing for the EU's General Data Protection Regulation (GDPR), according to a new survey.

Advertisement - Article continues below

Just 6% of British firms have made complying with the new data protection rules a priority, security firm Sophos's research, conducted last month, found, compared to 30% of French businesses.

Sophos's survey of 625 IT decision makers in the UK, France, Belgium, the Netherlands and Luxembourg also discovered that 54% of respondents had little understanding that failure to comply could result in a fine of up to 4% of a business's annual turnover or 20 million, whichever is greater.

One in five respondents said such a fine would force them to close, a figure that rose to one in two SMB respondents. More than a third surveyed admitted a GDPR fine would result in redundancies.

But the data showed that the UK considers the data protection measures less of a priority than the other European countries 20% of British companies deemed GDPR a low priority, compared to 8% in France.

Advertisement - Article continues below

While one in five French firms are confident they're compliant, that figure sinks to 8% in the UK, despite GDPR coming into effect from 25 May 2018.

"Getting ready for GDPR is a long process. If regulators demonstrate that they are prepared to impose the maximum fines in May 2018, then businesses will seriously regret not being prepared," said John Shaw, vice president of product management for the end user group at Sophos.

Advertisement - Article continues below

So far, just 42% of firms have created a data protection officer role a requirement under GDPR for public authorities and companies carrying out large scale behaviour tracking. Meanwhile, only half of IT decision makers told Sophos their company is able to gain consent from people whose data they're collecting a key tenet under GDPR.

Less than half said they're able to delete people's data when requested, as per GDPR's 'right to be forgotten' policy, and a similar figure said they can report a data breach to their data protection authority within the 72-hour deadline.

"With data breaches occurring on an almost daily basis across Europe, I would argue that the top priority should actually be to reduce the risk of the data breaches," said Shaw. "Reducing that risk doesn't need to be complicated - concentrate on stopping the biggest causes of data breaches by making sure the basics are in place: keep all operating systems and software up to date, implement encryption for sensitive data, and educate all employees about the risk of phishing and other social engineering attacks."

19/05/2017: Employees putting company GDPR preparations at risk

Research by M-Files has revealed that employees are making it difficult for businesses to prepare for the incoming GDPR legislation because they are using their personal devices and personal cloud accounts to access and store company information.

A third of workers are using shadow IT, rather than going through company channels to ensure the way they handle information is sufficiently secure.

Advertisement - Article continues below

M-Files found that 33% of employees are using their personal devices rather than business-provisioned equipment to access and share company information, while 31% are using personal cloud services without the go-ahead from company IT departments.

"Going against company policies on sharing and accessing documents may seem relatively harmless, but it can have costly consequences, leaving organisations exposed to heightened security risks and compliance issues," Julian Cook, VP of UK business at M-Files, said.

Advertisement - Article continues below

"With the General Data Protection Regulation (GDPR) on our doorsteps it's critical that organisations maintain control and visibility of their documents and information handling practices."

The survey questioned 250 IT decision makers about how they're protecting data in their organisation and it was revealed that 23% of those businesses had experienced at least one security breach in the past year because employees wern't sticking to the companywide data security policies.

"The Shadow IT problem can be fought on two fronts. As a first step, organisations should implement and continuously reinforce a clear policy on the use of personal devices and file sync-and-share apps as well as communicate to staff the impacts of not adhering to these guidelines, which can negatively impact the company," Cook advised.

"But perhaps more important is understanding and addressing the root causes of Shadow IT, which in most cases points to deficiencies in existing information management solutions and approaches."

Featured Resources

What you need to know about migrating to SAP S/4HANA

Factors to assess how and when to begin migration

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

Testing for compliance just became easier

How you can use technology to ensure compliance in your organisation

Download now

Best practices for implementing security awareness training

How to develop a security awareness programme that will actually change behaviour

Download now

Most Popular

Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
data governance

Brexit security talks under threat after UK accused of illegally copying Schengen data

10 Jan 2020
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020

Dell XPS 13 (New 9300) hands-on review: Chasing perfection

14 Jan 2020