Many companies have de-prioritized their compliance efforts for GDPR, and the regulation is not in a good shape, reports say
As EU’s General Data Protection Regulation (GDPR), legislation completes 18 months, research by Egress, a security software supplier shows that over 50% of UK businesses are not compliant with the rules and can fall victim to data breaches and even several penalties. The report surveyed 250 decision-makers, which included large enterprises, medium-sized businesses, and small businesses – revealing that only 48% of companies were fully compliant, and 42% were “mostly” compliant.
Experts believe that this suggests that non-compliance with GDPR rules is not only widespread but in some cases, security professionals are also obfuscating the levels of compliance. According to two other separate surveys done by RSM, an audit and tax consultancy and Delphix, a data virtualization firm, 30% of European businesses were not confident if they were compliant and some said that they though their leadership believed they were compliant, it was not necessarily true.
Over 30% of respondents to Egress’ survey believe that GDPR has become a “less of a priority” in the last one year. For most of them, the majority of their compliance activity happened before the May 2018 deadline, and after that, they dropped off GDPR from the priority list.
When the Information Commissioner’s Office (ICO) issued huge fines against British Airways and Marriott, only 6% of decision-makers said that these high-profile incidents lead to a shock to get back towards awareness. Experts believe that for many companies, now being ‘almost compliant’ has become close to being compliant. This attitude of a significant number of decision-makers, towards GDPR indicates that that focus has diminished in the past 12 months.
Some experts also believe that the cause of this is the delay in action over the non-compliant companies. Since the wait was of over a year between implementation and the first action by the ICO under GDPR, it led to a perception that the regulation is ‘all bark and no bite.’
The investments increased a lot on being GDPR compliant in 2018, but in the last one year, less than 30% of respondents in the Egress survey have felt the need to implement the new processes that govern around the handling of sensitive data.
Despite the regulations and compliances, over one-third companies had reported at least one GDPR breach to the Information Commissioner in the last 12 months, but according to the ICO data, 60% of these were caused simply by human error.
Experts think that strategies need to shift if to protect data from breaches and the only way for organizations to get going on this is reliance on people to follow processes and protect data.