With GDPR fast approaching and fewer than half of all businesses and charities still unaware about the data security legislation, Digital and Culture Secretary Matt Hancock has asked them to pull up their socks and prepare quickly for the legislation that promises to be nothing like the existing data protection law.
Firms in the manufacturing and construction sectors have displayed the lowest level of awareness about GDPR, while those in the finance and insurance sectors are the most aware.
Ignorantia juris non excusat has been one of the most widely-practised legal principles across the world for centuries. Yet, the attitude displayed by British businesses and charities towards one of the most punishing legislations in recent times suggests that the principle only exists inside the walls of courtrooms.
The government's latest Cyber Security Breaches Survey has revealed that 62 percent of businesses and 56 percent of charities in the UK are still unaware about GDPR- a pan-European data security legislation that promises to impose fines of either 4 percent of an organisation's annual turnover or €20 Million (whichever is greater). The GDPR will come into force on 25th May this year.
To make things even worse, just over a quarter of businesses and charities have actually taken steps to prepare themselves for the upcoming legislation. Among those who made changes, just under half of businesses, and just over one third of charities have made changes to their cyber security practices. In short, the total number of businesses and charities who have taken meaningful steps to be compliant to GDPR is miniscule compared to the number of businesses and charities presently operating in the UK.
Considering that the UK will soon separate itself from the European Union, the government has passed a Data Protection Bill which resembles the GDPR and which will help the UK to be recognised by the European Commission as to provide an adequate level of protection, in order to facilitate the international transfers of personal data without the need of putting in place alternative mechanisms like model clauses.
'We are strengthening the UK’s data protection laws to make them fit for the digital age by giving people more control over their own data. And as these figures show many organisations still need to act to make sure the personal data they hold is secure and they are prepared for our Data Protection Bill,' said Digital and Culture Secretary Matt Hancock following the release of the survey's findings.
A further break-up of the survey's findings shows that while 80 percent of large businesses that employ more that 250 people have heard about GDPR, only 31 percent of micro businesses and 49 percent of small businesses that hire fewer than 50 people have heard about the upcoming legislation.
Similarly, while 75 percent of large charities that employ more than 250 people have heard about GDPR, only 37 percent of micro charities and 47 percent of small charities have heard about it.
The highest awareness about GDPR has been displayed by firms in the financial and insurance sector (79 percent) and those belonging to the information or communications sector (67 percent). On the flip side, only 25 percent firms in the construction sector and 27 percent firms in the production & manufacturing sector are aware of GDPR.
'Gaining a good understanding of GDPR is still a work-in-progress for many organisations – and it’s important to consider the impact mishandled data might have on the organisation itself, customers and employees. It is concerning that at this late stage only 80% of large businesses are aware of the regulation,' says Darren Anstee, Chief Technology Officer at NETSCOUT Arbor.
'The fact that creating and changing policies in order to comply with the new GDPR legislation is the most common change made by business and charities alike is both good and bad. On the one hand organisations have obviously taken on board the process and policy changes they need to comply, however the low percentage shown around other types of change may indicate that the focus has been purely around compliance, rather than looking at the aim of the legislation – to improve the way people’s data is acquired, processed, stored and secured.
'While some changes may incur additional costs to businesses, others may reduce overall costs, such as the unification of regulation. The impact of data-breaches to both business and the end-user can be significant and, ultimately, it is crucial that organisations invest appropriately to protect themselves and their customers,' he adds.