Only half of UK IT decision makers are aware of the coming EU Data Protection Regulation, compared with 87% in...
Germany, a survey has revealed.
The survey by security firm Trend Micro polled 850 senior IT decision makers across Europe.
Of the 250 UK respondents, just 10% said they fully understood what steps their organisation needs to take to achieve compliance.
More than eight in 10 UK respondents believe their organisation faces significant challenges to comply with the data protection regulation, with a quarter saying that adhering to it is unrealistic.
Lack of employee awareness (44%) and restricted resources (31%) were highlighted as the biggest barriers.
The proposed regulation is a set of legislation that aims to bring comprehensive reform to data protection, strengthen online privacy rights and boost Europe’s digital economy.
If the regulations are broken, fines could be as high as €100m or 5% of global revenue.
While 95% of German respondents were aware there would be fines, almost a quarter of UK respondents were unaware of the proposed fines.
Nearly half of UK businesses said two to four years was a more realistic timeframe for them to comply.
Read more on EU data protection
- Essential guide: EU Data Protection Regulation
- Where next for the new EU data protection regulation?
- Legal briefing: The Draft EU General Data Protection Regulation
- EU Data Protection Regulation: fines up to €100m proposed
- MEPs adopt draft reformed data protection rules
- Data Protection Masterclass: New EU Data Protection Regulation
- MEPs vote to tighten data protection rules after internet surveillance revelations
- Internet firms concerned over EU data protection proposals
“With ratification expected in 2014, it is alarming to see how little is known about such key privacy regulations," said Rik Ferguson, vice-president security research at Trend Micro.
“This affects every organisation, regardless of size. If a company processes data then it needs to be aware,” he said.
According to Ferguson, data privacy should be a board-level discussion as companies look to gain maximum value from a new generation of big data projects.
“This is not just an IT issue. Duty to comply falls to everyone from the receptionist right up to the chief executive officer,” he said.
The survey revealed that even UK businesses aware of the regulations are confused over to whom it will apply and who will be responsible for compliance.
Almost a quarter of respondents either did not think the regulation would apply to their organisation or did not know.
Nearly four in five of UK respondents believe some responsibility for ensuring compliance with the proposed regulation lies with the organisation as a whole.
More than a quarter (28%) place responsibility for this with a data protection officer and around a tenth with the government or a business insurance provider.
Nearly two thirds of respondents believe the proposed regulation will apply to EU-registered companies and over a third think it will apply to companies in business with EU companies.
Less than half of respondents correctly identified that the proposed legislation will apply to any company that deals with EU resident data, even if that company does not have a legal entity within any EU state.
More than eight in 10 UK respondents said their organisation will need to take steps to become compliant.
To achieve this, most plan to increase employee training on data protection (57%), half plan to increase investment in IT security, and just over a quarter plan to increase their data breach insurance cover.
“These findings need to serve as a wake-up call, both to businesses and governments that these changes are coming and we all need to prepare,” said Ferguson.
“If they don’t take action there is the very real chance that they might wake up with a nasty fine on their hands that could potentially have a major impact on their business,” he said.
According to Ferguson, every business should start the process of compliance with a health check or assessment of where the organisation is right now in terms of what data is stored, how it is processed and what policies currently govern it.
“This will put organisations in a position to know where the holes are in their data policy and what needs addressing,” he said.