More than one year after the General Data Protection Regulation (GDPR) went into effect, just over 50 percent of British companies do not yet fully comply with this regulation. These are the findings of a survey among British managers by data security solutions provider Egress.

The survey shows that 37 percent of respondents have reported an incident to the British Data Protection Authority ICO the in the last 12 months, and that 17 percent have even reported more than one. It also appears that 53 percent of medium-sized companies reported data breaches, compared to 36 percent of small businesses and only 23 percent of larger businesses.

A remarkably low percentage (39.5 percent) of medium-sized businesses reported to be completely GDPR compliant, compared to 56 percent of large and 51 percent of small businesses. All in all, these figures indicate that medium-sized companies are clearly lagging behind the rest when it comes to GDPR-compliancy.

Other important findings from the survey are:

  • Only half of the decision makers (48%) report that their company is fully ‘GDPR-proof’.
  • 42 percent rate their organisation as ‘largely compliant’.
  • More than a third (35%) indicate that the GDPR has received less priority in the past 12 months.
  • 28 percent say they have invested mainly in the implementation of new processes for processing sensitive data in the last 12 months.
  • In addition, they invested in, better insight into which data is collected and why (18%); the appointment of a data protection officer or other personnel charged with the GDPR (18%); new technology (17%).
  • 7 percent indicate that ‘education and training’ is the largest cost item.

Diminishing attention for the GDPR

Around 35 percent of respondents indicate that they have carried out the majority of GDPR-related activities in the run-up to the May 2018 deadline. Since then, attention for GDPR has deminished. Only 6 percent indicate that the ICO’s intention to impose a fine on British Airways and Marriott has raised awareness of the issue. While 70 percent of the respondents indicated that their organisation was very positive about the GDPR, only 62 percent said that GDPR compliancy was a top priority for the company in the past year.

“Whereas we were in a hurry to meet the May 2018 deadline, companies now seem to have adopted an attitude of” almost compliant is good enough,” said Egress CEO Tony Pepper. “We do not only see this attitude in the UK, I also hear this trend reflected by, for example, our Benelux team.

A good percentage of decision makers indicate that the focus on the GDPR has decreased in the past 12 months. The waiting time of more than a year between the implementation of the GDPR and the first government action is to blame for this; the saying “barking dogs never bite” seems to be quoted by many companies outside the security sector when they talk about the GDPR.

Although the announced sky-high fines for British Airways and Marriott caused a shockwave, only 6 percent have been shown to have taken action to avoid any risk. These announcements should really have been a very clear warning that no company can afford not to be compliant.”

Preventing human error

When asked about their largest compliance investment, respondents gave the following answers:

  • Implementing new processes for processing sensitive data (28%)
  • Better control over which data we collect and for what reasons (18%)
  • Hiring a data protection officer or other relevant personnel (18%)
  • New technology (17%)
  • Implementing new procedures for reporting incidents (8%)
  • Education and training of end users (7%)

Despite these investments, 37 percent of UK respondents reported at least one incident to the ICO in the last 12 months. Analysis of the ICO data shows that 60 percent of the security incidents involving breaches of personal data in the first six months of 2019 were caused by human error.

Mr Pepper said, “The vast majority of respondents (96%) indicate that their organisation has invested in compliance with the GDPR for the past 12 months, with the implementation of new processes as top priority. Meanwhile, we know that the primary cause of data breaches is human error. So it is clear that we must choose a different strategy to turn the tide.

There is a need for solutions that eliminate the risk of human failure, such as security and DLP technology that chooses the right strategy based on user behaviour. This protects the user from, for example, phishing attacks that result in malware or stolen login data, and from incorrectly addressed emails or incorrectly shared documents. If we as a business want to prevent fines, we have to ensure that technology supports people, and not the other way around.”

About the Research

The research was commissioned by Egress and carried out by the independent research agency OnePoll in July 2019. The group of respondents comprised 250 British GDPR-related decision makers at small, medium and large companies in the IT, engineering and production, accountancy and finance, retail, consultancy and management, education and healthcare sectors. One third of respondents work for companies with more than 1,000 employees, 32 percent for companies with between 250-999 employees and 35 percent for companies with fewer than 249 employees.

ICO figures are based on data from 1 January 2019 – 20 June 2019, originating from ICO ICE360 systems, obtained through a Freedom of Information request for data breach or loss falling in the Principle 7 category or in the ‘security’ category under the Data Protection Act or under ‘principle (f)’ under the General Data Protection Regulation.