You might be forgiven for believing that the twin purposes of the EU’s General Data Protection Regulation (GDPR) were to stop spam emails and punish businesses who lose control of customer data to cyber thieves. Although these are the issues that have dominated our inboxes and the news headlines, and there is a high degree of awareness among consumers and regulators about the need for strong data security, companies of all sizes still seem to be struggling with the core of what the GDPR is really trying to achieve.
The GDPR’s underlying message is that data protection and compliance must become a core part of all business practices. To achieve and then maintain compliance, as well as offer customers the best protection, organisations must take a holistic view and bake security into the heart of their operations, ensuring reasonable protection of personally identifiable information (PII) at all stages of collection and processing.
Firms demonstrate low level of compliance to the GDPR’s requirements
According to the 2018 Shred-it Information Security Tracker, a study by IPSOS of UK C-suite executives, small business owners and consumers, revealed too many firms still struggle with key parts of the GDPR’s requirements and ethos.
The most important insight is that companies are no longer operating in a field where the rules are not clear and well known. Consumers surveyed expressed a high degree of literacy on the subject: 86% said that data protection is important when choosing a bank, 75% said it was important at work, and 70% said it was important when choosing a dealer from which to buy a car.
Demonstrating a commitment to security, then, is essential to win and retain customer trust. The law, of course, says it’s 100% important in all of those cases. However, the survey found that in the weeks leading up to the implementation of the GDPR, nearly a quarter of small businesses were still totally unaware of it, and only 17% had begun to review their security policies in preparation.
Still not GDPR compliant? It’s time to get a move on with three simple steps
Mike Smart, Security Strategist, EMEA, Forcepoint, explains to Information Age a blueprint for GDPR compliance
The numbers weren’t much better for large companies. The survey asked corporations four key questions about compliance, and only a minority of organisations said that they had been addressed. These included whether or not they had reviewed their IT security policies (only 46% said yes); have implemented a system for documenting lawful data processing (44%); appointed a data compliance officer (44%); and updated their procedures for detecting, investigating and reporting data breaches (39%).
Tellingly, while a third of C-Suite executives at large corporations believed they had experienced a data breach in the last year, only 3% of small business owners said the same. This discrepancy is more likely to reflect a lack of awareness that systems have been breached than an unusually security-hardened sample selection.
Is the ad hoc approach leaving your data vulnerable?
Addressing these gaps in knowledge and compliance must be done in a methodical and consistent manner and must be well communicated to employees. The current ad hoc approaches are leaving data vulnerable and creating inconsistencies that the regulators will not look lightly upon in the event of an investigation.
Take remote working: C-Suite executives almost unanimously shared that employees often work off-site or with a flexible working model. Nine out of 10 said they trusted their employees to safeguard information when working in this manner. At the same time, 80% believe this puts data at more risk, yet significant proportions do not provide employee training around areas such as identifying fraudulent emails (30%), reporting lost or stolen devices (35%) and using public WiFi for business (45%).
The GDPR and Brexit
James Castro-Edwards, Partner and Head of Data Protection at Wedlake Bell, discusses the three possible outcomes for GDPR post-Brexit, dependent on whether we get a deal or not
What’s more, companies are forgetting that data protection extends to physical media as well. The number of large corporations which indicated that their company has a locked console and professional shredding service for confidential documents actually fell by 16 points compared to the previous year. The numbers for small businesses are, again, much worse.
There is still much work to be done, then, in order for the majority of businesses, large and small, to prove they are truly GDPR compliant, and able to live up to consumer expectations around their data security responsibilities. Although the media spotlight has moved on from GDPR, the work to integrate its underlying message and ethos into every aspect of practice has only just begun.
Written by Ian Osborne, Vice President UK & Ireland for Shred-it