GDPR Global privacy legislation UK

61% of UK businesses think GDPR doesn’t apply to them

Only 39% of UK business decision-makers believe GDPR affects their business, while 20% admit they don’t know which compliance regulations their company is subject to.

NTT Security’s 2017 Risk:Value Report suggests that although many companies worldwide are getting to grips with broader cybersecurity and data protection challenges, there are “several gaping holes” when it comes to awareness of security regulations and the creation of policies.

Ignorance ≠ bliss

While the UK fared poorly on GDPR awareness – coming last of all the European countries surveyed – 75% of US companies do not see that it will impact them. Germany/Austria at 53% and Switzerland at 58% show good if hardly stellar awareness just under a year away from the May 2018 enforcement date.

With penalties of up to €20million or 4% of annual turnover, whichever is higher, ignorance around the importance of GDPR is worrying – and directly affecting data security policies in business:

  • Only 54% of French and 57% of UK respondents know where company data is stored.
  • Just 41% of UK decision-makers believe their organisation’s data is secure.
  • 44% of businesses don’t have a full information security policy in place. Here, the UK leads the field with 72% while Sweden heads the foot-draggers at just 30%.
  • 52% have no incident response plan – and of those that do, only 47% know what it contains.

It’s fair to point out that none of the respondents are in the IT function of their business, but it does seem it’s not for want of the tech team trying: 67% say their IT department keeps them fully up to date about attacks and cyber threats.

With fines, reputation damage and other direct business costs at stake, a little join the dots wouldn’t go amiss.

Brexit, schmexit

While GDPR is an EU regulation, leaving the Union will not exempt the UK from adhering to the rules – if it wants to continue to engage with EU states. Like the US and other popular non-EU-based data center locations, UK businesses that process EU citizens’ data will be expected to comply.

“You would hope that the date of 25 May 2018 is clearly marked in the calendars of any business, UK or otherwise, that collects or retains personally identifiable data from any individual in Europe… Brexit is no excuse.” –Linda McCormack NTT Security Vice President UK & Ireland

NTT Security Vice President UK & Ireland, Linda McCormack said that “In theory, UK organisations should be well ahead of the curve when it comes to EU GDPR, given that it is a European data protection initiative. McCormack added that “Brexit is no excuse, as UK companies will still need to comply when dealing with countries in the EU. What’s clear from our report is that a significant number do not yet have it on their radar or simply do not know if it applies to them. The fact they do not know means there is no plan on action in place.”

As things stand, GDPR is far from being the UK’s only data security challenge:

  • 63% agree that a breach is inevitable but only 57% say prevention is a regular boardroom item.
  • 80 days: the estimated recovery time from a breach.
  • £1.1m is the average estimated breach recovery cost

Do it now, do it right.

NTT Security concludes that while companies are clearly investing more in cybersecurity, the issue remains relatively low-key at board level. Add to this a general failure to communicate policies effectively and get employees on board and you’re still looking at a lot of risk.

But the perhaps the biggest risk of all is regulatory, says NTT: “Until now, companies that left gaps in their information security strategies could simply take the risk of compromise…from 25 May 2018, they face a burden of proof…Now is the time to address these issues and comply.”

NTT Security’s 2017 Risk:Value Report can be accessed here.