European firms far from ready for new data rules, study shows

As European authorities aim to ratify revised data protection rules by 2015, many firms have a lot to do to comply

As European authorities aim to ratify revised data protection legislation by the end of 2015, many firms will have a lot of work to do to comply, a study has revealed.

If all goes according to plan without any more deadline slips, European firms will have to comply with the reviewed laws some time in 2017, following a two-year implementation phase.

However, despite 84% of 1,500 office workers polled in the UK, France and Germany saying Europe needs stronger data protection laws, 77% are not confident their organisations comply with current rules.

This means only 23% were completely confident their organisations complied with current legislation, according to the survey commissioned by security firm Sophos.

While 91% of respondents had at least one safeguard in place when it came to protecting personal data, only 59% had antivirus protection.

Almost half said their organisation either did not have a data protection policy in place, or had not told employees about one.  

The survey, aimed at gauging professionals’ understanding of data protection ahead of the proposed EU reforms, showed knowledge and awareness of data encryption is low.

A fifth said their organisations are not encrypting personal data, while a quarter said they did not know if their organisation was using data encryption, and 7% admitted not knowing what encryption was.

More on EU data protection reform

  • EU data protection reform threatens NHS record-sharing plans
  • Revised EU data protection in effect already, says lawyer
  • Only one in 100 cloud providers meet latest EU data protection requirements
  • EU data law changes are a security channel opportunity
  • Where next for the new EU data protection regulation?
  • Infosec 2014: Act now, but no new EU data protection law before 2017, says ICO
    EU Data Protection Regulation: fines up to €100m proposed
  • Half UK IT decision makers unaware of coming EU data laws, study shows

Again, only 23% could confirm their organisations encrypted employee and customer data.  

The report also examined user attitudes to mobile device security, with 98% agreeing the data is to an extent more important than the device itself.

However, a quarter confessed to storing corporate information on their personal laptops and mobile phones, with 19% revealing they had lost a personal or mobile device.

When it came to securing mobile devices, the majority (64%) said their organisations implemented passwords to secure mobile devices.

However, only 31% of those with company phones were able to confirm they were encrypted, compared with 51% confirming their company laptops were encrypted.

The UK had the highest percentage of encrypted company laptops – 62%, compared with 36% in France and 56% in Germany.

The UK also had the highest percentage of encrypted company mobiles – 41%, compared with 21% in France and 32% in Germany.

This disparity between encryption on mobile phones and laptops highlights the continued willingness to accept mobile phones as a risk, according to the study report.

The majority of respondents agreed information was the most valuable asset, with 95% saying they need to share, send and access corporate data from any device or location in order to work effectively.

But the survey showed two thirds of respondents do not always check whether the data is safe to share, and little more than two thirds said to share data easily, they were willing to use personal cloud services to circumvent company IT restrictions and policies.

Attitudes to cloud storage differed in each country. Overall, 31% said their organisation allowed them to use cloud storage solutions – like Dropbox – in the workplace.

However in the UK this increased to 44%, with only 27% allowed in France and 23% in Germany.

A further 11% were not allowed to use cloud storage solutions, but said they did so anyway.

The survey showed UK respondents are also more likely to share data in the cloud – 52%, compared with 40% in France and 34% in Germany.

Overall, 61% of respondents said it was important to have stronger laws on data protection governing all European countries. This broke down to 54% in the UK, 68% in France and 62% in Germany.

There were also differences in opinion between the three countries with regard to the security of personal data, with France (86%) more concerned than the UK (78%) and Germany (74%).

Only 29% of respondents in Germany were concerned about cyber criminals getting hold of data, compared with 49% in France and 45% in the UK. Additionally, 76% of respondents in France were more concerned about the security of corporate data, compared with 62% in the UK and 59% in Germany.

Interestingly, 60% of employees in the UK – compared with 43% in France and 50% in Germany – said their organisation had a data protection policy and it had been clearly communicated, with employees in larger organisations more likely to be aware of data protection policies.

Data protection reform a step in the right direction

“Although there is still some fine-tuning to be done to the proposals for reformed data legislation in the EU before they can become law, the core principles are unlikely to change,” said Anthony Merry, director of data protection at Sophos.

The proposed legislation allows for more help and support for organisations hit by data breaches than the current legislation in the UK

James Lyne, Sophos

“All in all, we see this as a positive step in the right direction to bringing all member states under a single set of rules appropriate for the modern, digital world,” he said.

The current data protection directive dates from 1995, but there have been many changes since then, such as widespread use of smartphones and enterprise adoption of cloud-based services.

At the very least, Merry believes the new legislation will achieve the goal of raising awareness about the importance of data protection.

“Many of the companies I talk to still do not understand what data protection is, why businesses need to do it and why it is important, and that needs to change,” he said.

With the proposed fines of up to 5% of global turnover, or €100m, he believes the planned data protection laws will help focus the attention of business executives on the issue.  

Mandatory breach notifications will force companies of all sizes to think more carefully about data access, according to James Lyne, global head of research at Sophos.

In particular, he said it will force small-and-medium enterprises (SMEs) to limit access to the data employees need to do their work, instead of full access to everything by anyone on the company network.

“The new laws should result in greater data segmentation, more use of encryption and more groups of data with policy around them,” said Lyne.

SME-friendly data protection legislation

But while it will force SMEs to report all data breaches, it will also be more SME-friendly by requiring data protection authorities to help companies hit by breaches to deal with the impact.

“The proposed legislation allows for more help and support for organisations hit by data breaches than the current legislation in the UK,” said Lyne.

“The new laws are aimed at encouraging organisations to report breaches as quickly as possible by offering reduced liability and support in mitigating the effects of a breach,” he said.

Lyne hopes the new laws will encourage SMEs to choose a security standard to implement and seek professional advice to ensure they are following best practices.

“This approach means that if they are hit by a breech, they are more likely to be supported as a victim, rather than being fined for being negligent though failing to take appropriate measures,” he said.

The proposed legislation, he said, will go a long way to ensure businesses are not failing to take basic security measures to ensure data is protected.

Encouraging data encryption

The reviewed legislation is also likely to help drive encryption of data, said Merry. “If data is encrypted, even it if IT systems are breached, companies will not be liable under the law,” he said.

Encrypting data will also mean even though organisations will have to report a data breach, they will not have to notify individuals that their data has been compromised.

While continual data breach notifications may result in notification fatigue, Merry said the overall effect is likely to be an increase in awareness of the issue by companies and consumers.

“This means consumers are more likely to transact with businesses they feel they can trust with their personal and financial information,” he said.

Another positive effect of the proposed legislation is that it will force all companies that hold the data of EU citizens to offer better protection, even US-based companies.

Lyne said cyber crime is transnational, but laws still tend to be national. However, the proposed EU data protection laws will go some way to changing this by bringing the law more in line with real-world practice.

Read more on Privacy and data protection

Data Center
Data Management