UK boardrooms aren’t treating the General Data Protection Regulation (GDPR) with the seriousness required, resulting in overconfidence when it comes to compliance.
This is the main finding of the latest research from Trend Micro, which surveyed over 1,000 IT decision makers from businesses across the globe.
With GDPR less than a year away, businesses and marketers are required to protect all customer ‘personal information’. However,the research reveals that businesses aren’t sure which data this actually applies to.
• 56% of businesses don’t know email marketing databases constitute as personal information
• Eight in ten (79%) were unaware that a customer’s date of birth is classed as personal data
• Three in ten (29%) don’t know they need to protect a customer’s postal address
• One in ten (10%) of businesses aren’t protecting their customer’s email address
The research reveals a good awareness of the principles behind GDPR, with every single UK business leader surveyed (100%) knowing that they need to comply with the regulation, and a strong majority having seen its requirements (88%). In addition, nine in ten (88%) British businesses are confident that their data is as secure as it can possibly be – nine points ahead of the global average of 79%.
Despite this, there is some confusion over what constitutes the ‘personal data’ they need to be protecting. Of the respondents surveyed in the UK, eight in ten (79%) were unaware that a customer’s date of birth is classed as personal data. To make matters worse, over half (56%) of British business leaders wouldn’t class email marketing databases as personal data, dropping to three in ten (29%) for a postal address, and one in ten (10%) for a customer’s email address. With this data providing hackers with the grounds for identity theft, any business that isn’t protecting it correctly is at risk of a penalty fine.
While UK businesses are more confident in their defences than their peers overseas, their ability to identify personal data lags behind. In terms of the global average, six out of ten businesses (64%) wouldn’t count a customer’s date of birth as personal, marking a 15-point gap behind the UK. What’s more, four out of ten (42%) wouldn’t class email marketing databases as personal data – a 14-point gap behind British business leaders.
When it comes to penalty fines, UK businesses could be in for a surprise. A staggering three quarters (73%) are unaware of the sum of the fine they could face, with only a quarter (27%) recognising that between 2- 4% of their annual global turnover could be sacrificed. While the global average doesn’t look bright, it’s still ahead of the UK: a third (33%) are aware of the fines GDPR present. One in four UK businesses (28%) claim that a fine ‘wouldn’t bother them’, but these attitudes may change once they are aware of the true financial ramifications of a breach.
When asked what would have the biggest impact in the event of a breach, three in five UK businesses (60%) cited reputational damage, with just under half (47%) claiming this would have the biggest impact amongst existing customers. One in ten (13%) feared that new business prospects would be affected, while two fifths of businesses (39%) believe the fine would have the most impact.
“The lack of knowledge demonstrated in this research by enterprises surrounding GDPR is astounding. Birth dates, email addresses, marketing databases and postal addresses are all critical customer information, and it’s concerning that so many British businesses – despite their confidence – are unaware of that,” Rik Ferguson, VP Security Research at Trend Micro commented. “If businesses aren’t protecting this data, they aren’t respecting the impending regulation – or their customers – and they definitely aren’t ready for GDPR.”
But the confusion doesn’t stop there. Trend Micro asked UK businesses who should be held accountable for the loss of EU data by a US service provider. Only a tenth (11%) could correctly identify that responsibility falls to both parties, a fraction worse than the global average of a seventh (14%). Three fifths of UK businesses (63%) think that the fine would go to the EU data owner, while a quarter (23%) believe that only the US service provider is at fault.
Pointing the Finger
It turns out UK businesses aren’t sure who should take ownership of ensuring compliance with the regulation, either. Of those surveyed, a quarter (25%) think that the CEO should be responsible for leading GDPR compliance, and just under a quarter (23%) think the CISO and their security team should take the lead.
But the C-Suite isn’t meeting up to expectations. Only a fifth of UK businesses (19%) have a C-level executive involved in the GDPR process, marking a 29-point gap between who businesses want to take charge, and who is actually doing so. The majority of UK businesses (61%) have the IT department taking the lead, while only a tenth of businesses (10%) have a board level or management member involved.
“With just nine months to go before it comes into force, GDPR should be the biggest boardroom issue of the moment. But the findings suggest it’s the elephant in the British boardroom. If organisations don’t take the regulation seriously, they could be subject to a fine that’s a significant portion of global revenue. The task for the C-Suite now is to see GDPR as a business issue rather than a security issue, before it gets to that stage.” Ferguson continued. “Preparing for GDPR is a tremendous task, from investing in state of the art technologies, to implementing data protection and notification policies. But this preparation will be redundant if businesses don’t understand what data this applies to, and which parties are responsible. There’s an industry-wide education gap here, and it needs to be addressed.”
With threats coming in every shape and form, businesses don’t just lack the expertise to combat them, but the cross generational technology required, too. GDPR states that businesses must implement state of the art technologies relative to the risks faced. Despite this, only a quarter of British businesses (25%) have implemented advanced technologies to identify intruders on their network as a precaution. A quarter (27%) have implemented encryption technologies, and a third (30%) have invested in data leak prevention technology.
About the research
The findings are based on joint research with Opinium. Between 22 May – 28 June 2017, 1,132 online interviews were conducted with IT decision makers from businesses with 500+ employees in 11 countries, including USA, US, France, Italy, Spain, Netherlands, Germany, Poland, Sweden, Austria and Switzerland. Respondents held either C-Level, senior management or middle management decisions, and work in organisations operating in multiple sectors, including retail, financial services, public sector, media and construction.