bluedesign - Fotolia

EU’s General Data Protection Regulation unknown to most UK adults

The majority of UK workers are unaware of incoming regulation, leaving employers with work to do on GDPR awareness and coming UK data protection laws in 2017, survey shows

Six in 10 UK adults have never heard of the European Union’s General Data Protection Regulation (GDPR) that will form the basis of coming UK data protection law, a survey has revealed.

The survey of 2,000 UK adults was commissioned by cloud security firm Netskope to get a snapshot of current understanding of the GDPR among adults of working age, and the extent to which employers have informed staff about the regulation.

While almost 63% had never heard of the GDPR, less than 10% of respondents claimed to have a detailed knowledge of the regulation, and just over 14% said they had heard of the regulation but did not know what it was. Just over 13% said they had some general understanding of the GDPR.

When asked if their employer had informed them about the GDPR and its effect on working processes, 70.4% said that they had not been told anything about the GDPR yet by their employers, despite the fact that all UK companies handling EU citizens’ personal data will have to be compliant in 16 months’ time.

A further 8.6% said the GDPR had been mentioned, but that they were unsure of the details of the regulation, and 21% said they had been offered “plenty” of information about the GDPR.

Finally, when asked to state the maximum fine possible for a company found to have breached the regulation and infringed on data subjects’ rights in the process, just 1% of respondents were able to accurately pinpoint the correct maximum fine of €20m or 4% of annual worldwide turnover, whichever is larger.

Just over 20% thought the maximum fine would be €1,000 or less, underestimating the figure by a factor of 20,000. Just under 10% thought the maximum fine was €1m, which is just 5% of the maximum fine under the GDPR.

Businesses ‘misguided’ in GDPR approach

In 2016, TalkTalk was issued with a £400,000 penalty by the Information Commissioner’s Office (ICO) for security failings that allowed a cyber attacker to access customer data “with ease”.

Even if translated into a lower tier GDPR fine (the higher of 2% of annual worldwide turnover or €10m), this fine would have increased to £3.68m, demonstrating the increased financial incentive for businesses to tackle GDPR compliance.

André Stewart, vice-president for Netskope in Europe, said the findings of the survey show that organisations have a lot of work to do to educate employees on the GDPR and the safe data handling behaviour needed to achieve compliance.

“With seven in 10 UK adults yet to be educated about the GDPR by their employers, it’s possible that many employers are either unaware of the importance of coaching staff or they are not yet making the GDPR a high priority,” he said.

“Unfortunately, both approaches are misguided and leave companies open to GDPR compliance breaches – and massive potential fines as a result.”

The findings have even greater relevance for UK firms in the light of the fact that digital minister Matt Hancock has confirmed the UK will implement the GDPR fully and replace the 1988 Data Protection Act with legislation that mirrors the GDPR.

Unaware employees present risk to company

According to Stewart, if employees are not taught what security best practice looks like, they cannot do their everyday jobs securely, presenting a major risk to the organisation.

“Employers will need to show that they have trained their employees on the GDPR to achieve compliance,” said Stewart.

“The amount of effort put into coaching employees on secure data handling is likely to be one of the questions regulators ask when deciding whether to penalise organisations. This means coaching is essential to limit the risk of a breach in the first place, and then again to limit the extent of any potential penalty.”

Alongside coaching, Stewart said employees will also need the tools to do their jobs securely without sacrificing ease and convenience. “Ensuring the secure use of cloud services will be a fundamental piece of the compliance puzzle,” he said.

On average, organisations estimate there are 40 to 50 cloud services in use in their organisation. However, the January 2017 Netskope cloud report found that the average number of cloud services in use per enterprise in Europe, Middle East and Africa is 845.

According to Netskope, 66% of all cloud services were judged to fall short of the standards required under the GDPR, meaning they lack the proper residency, privacy, and security controls required for compliance – or were not close enough to the required standard to be considered capable of achieving compliance by the May 2018 deadline.

The Netskope cloud report data also shows 82% of cloud services do not encrypt data at rest, 66% do not specify that their customers own the data in their terms of service, and 42% do not allow admins to enforce password controls.

Read more about GDPR

Read more on Cloud security