Companies Still Unprepared for GDPR Compliance

Over half of UK businesses aren’t compliant with the GDPR more than 15 months after its introduction, despite many reporting data security incidents to the Information Commissioner’s Office (ICO), according to new research from Egress.

The security vendor polled 250 “GDPR decision-makers” from companies of all sizes and sectors to compile its new report, GDPR compliance: where are we now?

Some 52% said they were not fully compliant with the EU-wide data protection regulation, with over a third (35%) claiming compliance had dropped down the priority list over the past year. While there has definitely been a lessening focus on GDPR since the rule took effect over a year ago, the ICO’s recent high-profile announcements of its intentions to fine British Airways and Marriott have put this regulation back in perspective for many companies.

Below are some of the findings from that report:

– While 96% of UK firms have invested in processes for handling GDPR and data, only 48% are in full compliance, meaning that 52% are not.
– Of the GDPR decision-makers polled, 37% say they had to report a data breach incident in the last 12 months. Of these, 17% had reported more than one episode.
– Email played a role in 18% of the breaches, with these failures resulting from mistakes such as sending an email to the wrong recipient or not using BCC.
– Another 40% of the attacks resulted from incorrect disclosure, 20% from employees sending wrong data to the recipient, 5% from phishing attacks and 14% from other causes.
– Of the large companies surveyed, 10% reported a single breach and 13% reported more than one. Mid-size outfits were more likely to be hit, with 30% reporting one breach and 23% reporting more than that.

If there’s any good news from these dizzying statistics, it’s that they are rich in learning for compliance professionals. Beyond having a plan in place, firms need to begin rehearsing a data breach response, cognizant of the GDPR time deadline. Moreover, it also goes to show that your compliance team needs to have a seat at the table and not let this just become another “IT issue.”

To help financial institutions that may be affected by this regulation comply, Quest CE offers a course entitled, “General Data Protection Regulation (GDPR).” This course covers the history of the regulation, how GDPR differs from U.S. regulations, and penalties for non-compliance. To learn more about this course, click here.