momius -

UK government criticised over lack of GDPR explanation

Most IT decision makers in the UK are critical of the government for failing to educate organisations about the GDPR and its implications, and few have a clear understanding of it, a survey shows

More than seven in 10 IT decision makers believe the UK government should have done more to explain to organisations what the EU’s General Data Protection Regulation (GDPR) is, and how they should best prepare, a survey has revealed.

More than half (52%) believe the press and/or information security marketing departments are guilty of over-hyping the GDPR, according to the poll of 250 CIOs, CISOs and CSOs in UK-based companies, with more than 500 employees that was commissioned by security firm Bitdefender.

Despite the intense publicity around the GDPR and the continual publication of information and guidance by the UK’s Information Commissioner’s Office (ICO), 31% of chief information officers (CIOs), and more than a quarter (26%) of other C-level IT decision makers admit that they still would not be able to give a clear and concise description of the regulation and how their company has complied. A further 9% of C-level respondents, say they do not know if they would be able to provide such a description.

The survey also indicates that despite fines of up €20n or 4% of group worldwide turnover for non-compliance, the GDPR is doing little to persuade those in change to adhere to proper compliance practices.

Instead, C-Level IT decision makers are playing a game of chance with compliance, with 83% of CSOs and 51% of chief information security officers (CISOs) saying that they would be tempted to risk non-compliance to offset a complex implementation process.

However, this laissez-faire response drops to only 34% amongst CIO respondents, possibly due to the board’s requirement for those in this role to help mitigate overall organisational risk.

With the GDPR compliance deadline of 25 May 2018 fast approaching, the survey report said a day of reckoning might be on the cards for those that are not prepared, as the research shows that 72% of CIOS and 66% of all C-level IT decision makers believe that the ICO will have the resources to appropriately enforce the GDPR in the UK.

Read more about GDPR

Only 23% of senior IT respondents believe the ICO will not have the resources to enforce the regulation.

“This study brings a new perspective to GDPR compliance. As an industry, everyone in IT can agree that the GDPR represents the most significant change to data protection practices in two decades – yet despite the hype around it, it appears that not everyone is sure exactly what it is or whether their companies are ready for it. It’s this last point that is concerning,” said Liviu Arsene, researcher at Bitdefender.

“In less than 100 days, all companies will be held responsible for their handling of data as it relates to the protection of European citizens’ data. Companies will need to prove they are doing everything they can to protect this data, share who has control over it and even how, if at all, it is transported to other regions of the world.

“It’s not too late to act. Companies still have a small window of time to establish data ownership, identify security weak spots and shore up defences. The risks of not doing so simply do not add up in the modern enterprise, where data – and data protection – is money,” he said.

Read more on Regulatory compliance and standard requirements

Data Center
Data Management