Only 39% of UK decision makers polled think the European Union (EU) General Data Protection Regulation (GDPR) applies to them, according to the 2017 Risk: Value report commissioned by NTT Security.
This is the lowest of all the European countries surveyed, including Germany, Austria, France, Sweden, Norway and Switzerland.
A further 20% in the UK said they do not know, suggesting that 41% are in denial of their future obligations relating to the GDPR.
This means that a significant proportion of UK firms have less than a year to comply with strict new regulations around data privacy and security that affect any firm processing EU citizens’ data.
The survey of 1,350 non-IT business decision makers across 11 countries also revealed that just 25% of US respondents believe the GDPR applies to them, while 20% said they do not know. Similarly, only 26% of respondents in Australia believe the new rules apply to them, while 19% said they do not know.
The picture outside of Europe is therefore also a concern, given that the legislation applies to any organisation anywhere in the world holding or collecting data on citizens in Europe and could result in penalties of up to €20m or 4% of annual turnover, whichever is higher.
The most informed respondents were in Germany and Austria, where 53% recognise that the new data protection rules apply to them, and Switzerland, where 58% said the rules apply to them.
“While the GDPR is a European data protection initiative, the impact will be felt right across the world for anyone who collects or retains personally identifiable data from any individual in Europe,” said Garry Sidaway, senior vice-president of security strategy and alliances at NTT Security.
“Our report clearly indicates that a significant number do not yet have it on their radar or are ignoring it. Unfortunately many organisations see compliance as a costly exercise that delivers little or no value – however, without it, they could find themselves losing business as a result, or paying large regulatory fines,” he said.
Data storage reality
With data management and storage a key component of GDPR, the report raises serious concerns about knowledge of what data is being stored securely and where.
Just 41% UK respondents believe that all of their organisation’s data is secure, while 55% said all of their company’s critical data is secure.
However, UK decision makers are much less well-informed than their counterparts in other countries about where their data is physically stored, with just 57% saying they know, compared with a global average of 67%. Only France is lower, with just 54% saying they know where company data is stored.
Asked if the GDPR will affect where and how their organisation’s data is stored, 42% of respondents in the UK said “definitely”, 31% “think so” and nearly one in five (18%) said “no”, which is double the global average of 9%, and the highest number of all of the countries surveyed.
“In theory, UK organisations should be ahead of the curve when it comes to the EU GDPR, given that it is a European data protection initiative,” said Linda McCormack, vice-president of UK and Ireland at NTT Security.
“You would hope that the date of 25 May 2018 is clearly marked in the calendars of any business, UK or otherwise, that collects or retains personally identifiable data from any individual in Europe,” she said.
GDPR relevant regardless of Brexit
McCormack emphasised that Brexit is no excuse because UK companies will still need to comply when dealing with countries in the EU.
“What’s clear from our report is that a significant number do not yet have it on their radar or simply do not know if it applies to them. The fact they do not know means there is no plan of action in place,” she said.
“While our respondents are not in an IT function, they should still be aware of any new compliance regulations affecting their company’s security and data, especially as the implications of non-compliance are very serious.
“The problem is that many see it as a costly and time-consuming exercise that delivers little or no value to the business, yet, without it, they could find themselves losing customers or having to pay very large regulatory fines.”
UK respondents estimate, on average, that it would cost £1.1m to recover from a data breach – above the global average of £1m – while they estimate it would take 80 days to recover from a breach, compared with 74 days globally on average.
Around two-thirds (64%) of UK respondents cite loss of customer confidence, damage to reputation (67%) and financial loss (44%) following a breach, while 10% expect staff losses and 9% believe senior executives would resign.
While 63% in the UK “agree” that a breach is inevitable at some point, compared to an average of 57% globally, only 59% said they are kept fully updated by their IT security team about attacks and potential threats to the security of the organisation, compared with an average of 67% globally.
Less than half in the UK (47%) report that preventing a security attack is a regular boardroom agenda item, suggesting that more needs to be done for it to be taken seriously at a boardroom level.
However, 72% of UK respondents said their organisation has a formal information security policy in place, compared with the global average of just 56%.
Read more about GDPR
- The GDPR is not only relevant to CISOs and DPOs, and has a massive impact on businesses.
- There is no time for businesses to delay in preparing for the GDPR, says the UK privacy watchdog.
- GDPR: One year to compliance and opportunity.
- Finding customer data is big hurdle to meeting GDPR right to erasure.
Nearly two-thirds (65%) of UK respondents said their organisation has an incident response plan, well above the global average of 48%, but just 44% are fully aware of what the incident response plan includes, the survey showed.
One in eight of all respondents believe that poor information security is the “single greatest risk” to the business. The most commonly reported risk is “competitors taking market share” (28%).
According to the global survey, 57% of decision makers believe a data breach is inevitable at some point, and that they expect a breach to affect their long-term ability to do business as well as cause short-term financial losses.
Asked what the biggest impact of a data breach is likely to be, more than half (55%) cite loss of customer confidence. Other expected effects include damage to reputation (51%) and financial loss (43%).