According to a UK government survey, less than half of GDPR-aware companies are updating security policies to address the change.
Building a slide deck, pitch, or presentation? Here are the big takeaways:
- The General Data Protection Regulation goes into effect May 25, 2018, but only 38% of UK companies are aware of what it is.
- Of GDPR-aware companies in the UK, less than half have made any security changes to improve their chances of compliance.
The General Data Protection Regulation (GDPR) is set to go into effect on May 25, 2018 (four months from the time of this writing), but only 38% of UK businesses and 44% of UK charities actually know what it is, according to survey data collected by the UK government.
When the numbers are broken down, major disparities emerge among companies of different sizes. Large companies, defined as having 250+ employees, were 80% aware, while medium companies (50-249 employees) were 66% aware, small (10-49 employees) were 49% aware, and micro (2-9 employees) were 31% aware. Industry-wise, finance, insurance, communications, and education were the most aware. Construction and manufacturing were the least aware.
A similar division is seen among different-sized charities as well. However, charities that brought in more money were also more likely to be aware of GDPR, the survey data found.
Any company that maintains a presence in an EU country, or processes personal data of European individuals, will be affected by GDPR—which means its impact extends outside of the UK. GDPR compliance affects how a company will store, process, manage, and transfer personal data, while also impacting the level of transparency a company must maintain regarding the data it stores on individuals.
The GDPR is a foundational piece of the UK's new Data Protection Act, which was enacted to help bring the UK into the digital age. The fact that so many companies are unaware of the regulation means that they could face fines or other penalties for being out of compliance when GDPR is live.
As such, one would expect that companies are racing to get their data in order to avoid any penalties, but that isn't necessarily the case. According to the UK government data, "Among those aware of GDPR, just over a quarter of businesses and of charities made changes to their operations in response to GDPR's introduction."
A few more had made changes to their security approach, though. Among GDPR-aware companies, fewer than half of UK businesses made any changes to their security policy or practices in preparation of GDPR. For charities, that number was a little more than one-third.
For both companies and charities, the most common change was either to create a new policy for GDPR, or change an existing policy to address the regulation, the UK government data reported. The second most common change was to hire additional staff and increase communications.
This data was part of a greater survey called the Cyber Security Breaches Survey, released Wednesday.
- The General Data Protection Regulation (GDPR) (TechRepublic)
- EU General Data Protection Regulation (GDPR): The smart person's guide (TechRepublic)
- GDPR: Deadline looms but businesses still aren't ready (ZDNet)
- Why legislation could be a double-edged sword for IoT security (Tech Pro Research)
- How Europe's GDPR will affect Australian organisations (ZDNet)