tashka2000 - Fotolia

UK firms see employees as top risk to GDPR compliance

Most UK companies consider their staff as the biggest threat to compliance with the EU’s General Data Protection Regulation, a survey has revealed

Employees are rated more of a risk than current IT systems to successful compliance with the EU’s General Data Protection Regulation (GDPR), a survey has shown.

Three-fifths of senior IT executives across 200 medium to large UK organisations regard staff as the biggest threat to GDPR adherence, according to a poll by IT services firm Bluesource.

But just 40% believe their current IT systems could also pose compliance risks, with less than a year to go to the GDPR compliance deadline of 25 May 2018.

The survey also showed that although 50% of respondents are taking steps to prepare for GDPR compliance, 30% still believe the regulation will not affect them, and 20% are not sure what to do next.

This is despite the fact that the UK data protection regulator, the Information Commissioner’s Office (ICO), has said repeatedly that UK businesses must comply and that Brexit makes no difference.

The survey also revealed that, just 10 months before the GDPR compliance deadline, 80% of respondents said they face major challenges, including seeking increased security and governance around cloud environments such as Microsoft Office 365 and shadow IT.

According to 80% of those polled, big tech suppliers have a responsibility to ensure that not only their own systems, but also those of their customers will comply with the GDPR, although they said they are unsure how this will be achieved.

The increased financial impact of fines and the expected frequency of their enforcement is a major concern for most of those surveyed. An overwhelming 90% indicated that a non-compliance fine would result in huge reputational damage for their organisation and a loss of trust from customers, suppliers and staff.

Read more about GDPR

On a more positive note, 45% of respondents have already nominated a member of a specific departmental function, including legal, compliance and IT security, to be solely dedicated to privacy and GDPR initiatives. However, 20% said they have not yet considered selecting a nominated person and 35% think it will be a challenge to find a suitably qualified and experienced individual.

Sean Hanford, information governance consultant at Bluesource, said the research across UK organisations indicates that a gap remains between GDPR awareness and action.

“There must be a swift attitude change towards data protection and staff clearly require better skills so that they become more data savvy,” he said.

Hanford said Bluesource has partnered with the British Standards Institute (BSI) to help organisations to stop seeing GDPR as a box-ticking exercise, and instead create a framework that can be used to build a culture of privacy and a responsible attitude to data.

Bluesource and the BSI have developed a joint range of GDPR compliance and governance initiatives to help organisations manage and maintain adherence to EU data protection standards, he said.

These initiatives will enable organisations to take best-practice action by understanding the data risks that they create for others, and how these can be mitigated in a secure and compliant way, said Bluesource.

Options include a compliance assessment that identifies an organisation’s GDPR state of readiness, and systems that help optimise data control, visibility and responsibility.

Read more on Privacy and data protection