What impact will GDPR have on businesses across the UK, France, Belgium and Luxemburg? Vanson Bourne surveyed 625 IT decision makers in four countries and found that the UK is far behind when it comes to GDPR readiness.
The research also found that 54 percent of businesses have little understanding of the fines associated with GDPR. Businesses that don’t comply with GDPR will face hefty fines of up to €20 million or 4 percent of annual revenue in the event of a data breach. 17 percent of all businesses surveyed admitted that, if fined, their business would close. This number jumps to 54 percent for small businesses with less than 50 people. In addition, 39 percent of IT decision makers surveyed revealed that fines would also lead to redundancies at their business.
Despite this concern, only 6 percent of UK businesses view GDPR as a number one priority, yet 30 percent of businesses in France and 25 percent of Benelux businesses have made it a priority. 20 percent of UK businesses that consider GDPR to be a low priority, a much higher number than in France at 8 percent and Benelux at 11 percent.
Is Europe ready for GDPR?
Almost one in five businesses claimed to be already compliant in France (19 percent) and Benelux (18 percent), however the UK has only 8 percent of businesses currently identifying as GDPR compliant.
“Getting ready for GDPR is a long process. If regulators demonstrate that they are prepared to impose the maximum fines in May 2018, then businesses will seriously regret not being prepared,” said John Shaw, vice president of product management for the Enduser group at Sophos. “With less than a year to go, 55 percent of businesses are not confident that they will be able to comply by the deadline and are understandably distracted by for the need to demonstrate GDPR compliance. However, with data breaches occurring on an almost daily basis across Europe, I would argue that the top priority should actually be to reduce the risk of the data breaches. Reducing that risk doesn’t need to be complicated – concentrate on stopping the biggest causes of data breaches by making sure the basics are in place: keep all operating systems and software up to date, implement encryption for sensitive data, and educate all employees about the risk of phishing and other social engineering attacks.”
Businesses in Western Europe are slowly getting ready for GDPR, with 42 percent believing they will be ready; however, there is still a lot of ground to cover:
- Only 42 percent have created a Data Protection Officer role, a much smaller number than expected
- Currently only half of organisations have measures in place to ensure the individual whose data is being collected gives consent for data collection
- 44 percent have procedures in place to delete personal data in the event of a “right to be forgotten” request or if an individual objects to the processing of their data
- Less than half (45 percent) are able to report a data breach within 72 hours of its discovery.
Who is in charge?
In 70 percent of businesses, it’s the IT or IT security team that is taking responsibility for complying with GDPR. The research highlighted that only 4 percent of legal teams and 13 percent of board members or senior management are responsible for implementation.
Many IT decision makers called out a lack of awareness from key decision makers as a reason for not having certain protocols in place, such as being able to report a data breach within 72 hours of its discovery – a vital aspect of GDPR compliance.
The good news is 65 percent of organisations have a data security policy in place. 98 percent of organisations either have or are currently implementing a formal plan for employees that outlines what the data security policy is and what is expected of employees when they handle personal data. This shows that organisations are making headway in promoting data security in the workplace and encouraging employees to take the matter seriously.
Confusion over Brexit and GDPR
Despite Brexit, Britain will still need to be fully compliant with GDPR. However, the research has highlighted that many UK businesses think that Brexit may mean they no longer need to comply, with 26 percent of UK organisations admitting that since Brexit they are less clear on what needs to be done to comply or think they won’t have to comply. This has the potential to cause many companies to miss the deadline and face hefty fines.
The Brexit effect doesn’t stop in the UK. 66 percent of businesses in France and Benelux admit to being very or slightly concerned about data security now that the UK has begun the process to leave the European Union. It is clear that Brexit is causing uncertainty and confusion on both sides of the channel.