More than half of UK businesses not GDPR compliant

Report says more needs to be done to turn the tide against data breaches

Despite it being over a year since GDPR was introduced, more than half of UK businesses are failing to comply with the legislation, a new report suggests.

The survey of 250 UK GDPR decision makers, conducted on behalf of data security firm Egress, found that 52 percent of businesses are not fully compliant with the regulation, which came into force May 2018.

The report, which surveyed companies of all sizes across a variety of sectors, suggests mid-size companies (those with 250-999 employees) are the worst compliant, with 39.5 percent reporting full GDPR compliance, compared with 56 percent of large and 51 percent of small companies, Egress said.

37 percent of respondents have reported an incident to the Information Commissioner in the past 12 months, with 17 percent having done so more than once. Broken down by company size, 53 percent of mid-size companies have reported a breach, compared to 36 percent of small companies and 23 percent of enterprise organisations.

Previous GDPR surveys have revealed that 30 percent of European businesses are not confident they are GDPR-compliant, suggesting the UK private sector is perfoming worse than in Europe.

35 percent of companies said GDPR compliance was top of the agenda in the build up to the May 2018 deadline but has since slipped down their list of priorities, despite the hefty and high-profile fines recently issued to Marriott and British Airways for noncompliance.

“Although the authority’s announcement that it intends to fine British Airways and Marriott such staggering sums sent shockwaves through the security community, it is concerning only 6% of organisations have taken action to avoid the full potential of the legislation,” said Tony Pepper, CEO at Egress.

“These announcements should definitely have acted as a clearer warning that organisations cannot risk compliance complacency.”

The largest area of compliance investment has been towards new processes around the handling of sensitive data (28 percent), followed by data collection auditing (18 percent), recruitment of a Data Protection Officer and other compliance personnel (18 percent), and new technology (18 percent). Less than one-in-ten said user education and training had been their biggest area of investment.

“It’s positive to see that almost one-fifth (17%) of respondents are looking to technology as a way to mitigate breaches, but they must ensure these solutions tackle human error as the root causes of many of these incidents,” Pepper added.

GDPR was introduced to give European citizens more control and access to the personal data collected from them by organisations, with more transparency and the threat of larger fines to those in breach of the rules also introduced.

Between May 25 2018, the day which GDPR was introduced, and the beginning of May this year, the Information Commissioner’s Office received a total of 14,072 data breach notifications.