GDPR is the elephant in British boardrooms


UK boardrooms aren’t treating the General Data Protection Regulation with the seriousness required, resulting in overconfidence when it comes to compliance, new research reveals.

The research into IT decision makers from across the globe reveals a good awareness of the principles behind GDPR, with every single UK business leader surveyed knowing that they need to comply with the regulation, and a strong majority having seen its requirements. In addition, nine in ten British businesses are confident that their data is as secure as it can possibly be – nine points ahead of the global average of 79 per cent.

Despite this, there is some confusion over what constitutes the ‘personal data’ they need to be protecting. Of the respondents surveyed in the UK, eight in ten were unaware that a customer’s date of birth is classed as personal data.

To make matters worse, over half of British business leaders wouldn’t class email marketing databases as personal data, dropping to three in ten for a postal address, and one in ten for a customer’s email address. With this data providing hackers with the grounds for identity theft, any business that isn’t protecting it correctly is at risk of a penalty fine.

While UK businesses are more confident in their defences than their peers overseas, their ability to identify personal data lags behind. In terms of the global average, six out of ten businesses wouldn’t count a customer’s date of birth as personal, marking a 15-point gap behind the UK. What’s more, four out of ten wouldn’t class email marketing databases as personal data – a 14-point gap behind British business leaders.

When it comes to penalty fines, UK businesses could be in for a surprise. A staggering three quarters are unaware of the sum of the fine they could face, with only a quarter recognising that between 2- 4 per cent of their annual global turnover could be sacrificed. While the global average doesn’t look bright, it’s still ahead of the UK: a third are aware of the fines GDPR present. One in four UK businesses claim that a fine ‘wouldn’t bother them’, but these attitudes may change once they are aware of the true financial ramifications of a breach.

When asked what would have the biggest impact in the event of a breach, three in five UK businesses cited reputational damage, with just under half claiming this would have the biggest impact amongst existing customers. One in ten feared that new business prospects would be affected, while two fifths of businesses believe the fine would have the most impact.

“The lack of knowledge demonstrated in this research by enterprises surrounding GDPR is astounding. Birth dates, email addresses, marketing databases and postal addresses are all critical customer information, and it’s concerning that so many British businesses – despite their confidence – are unaware of that,” Rik Ferguson, VP Security Research at Trend Micro commented. “If businesses aren’t protecting this data, they aren’t respecting the impending regulation – or their customers – and they definitely aren’t ready for GDPR.”

But the confusion doesn’t stop there. UK businesses were asked who should be held accountable for the loss of EU data by a US service provider. Only a tenth could correctly identify that responsibility falls to both parties, a fraction worse than the global average of a seventh. Three fifths of UK businesses think that the fine would go to the EU data owner, while a quarter believe that only the US service provider is at fault.

Only a fifth of UK businesses have a C-level executive involved in the GDPR process, marking a 29-point gap between who businesses want to take charge, and who is actually doing so. The majority of UK businesses have the IT department taking the lead, while only a tenth of businesses have a board level or management member involved.

“With just nine months to go before it comes into force, GDPR should be the biggest boardroom issue of the moment. But the findings suggest it’s the elephant in the British boardroom. If organisations don’t take the regulation seriously, they could be subject to a fine that’s a significant portion of global revenue. The task for the C-Suite now is to see GDPR as a business issue rather than a security issue, before it gets to that stage.” Ferguson continued. “Preparing for GDPR is a tremendous task, from investing in state of the art technologies, to implementing data protection and notification policies. But this preparation will be redundant if businesses don’t understand what data this applies to, and which parties are responsible. There’s an industry-wide education gap here, and it needs to be addressed.”

With threats coming in every shape and form, businesses don’t just lack the expertise to combat them, but the cross generational technology required, too. GDPR states that businesses must implement state of the art technologies relative to the risks faced. Despite this, only a quarter of British businesses have implemented advanced technologies to identify intruders on their network as a precaution. A quarter have implemented encryption technologies, and a third have invested in data leak prevention technology.