Only 48 percent of decision-makers at UK businesses have admitted in a survey that their businesses are fully compliant with the year-old GDPR, indicating that a majority of businesses could end up at the wrong end of regulatory action in the event of major data breaches or cyber attacks.
In a recent survey designed to gauge GDPR compliance of small, medium, and large businesses in the UK a year after the data security legislation was enacted, while 48% of decision-makers at UK businesses confirmed that their businesses were fully compliant with GDPR, 42% rated their organisations as ‘mostly compliant’ with the rest of them being at various stages of compliance.
That a majority of businesses are still not fully GDPR compliant over a year after the law was enacted indicates that a majority of businesses could end up at the wrong end of regulatory action in the event of major data breaches or cyber attacks.
Organisations are not working quickly enough to becomes fully GDPR compliant
What’s worse is that decision-makers agree that the zeal to comply with GDPR requirements has slowed over the past year, compared to the period preceding its enactment when businesses were rushing to create new security policies and hiring data protection officers and CISOs to meet the upcoming data security requirements.
Even massive fines imposed on large organisations such as British Airways and Marriott have not been able to spur businesses into action of late. According to Tony Pepper, CEO at Egress Software Technologies, the initial lack of regulatory action following the enactment of GDPR could have led to a perception outside the security industry that the regulation was ‘all bark and no bite’.
“Although the authority’s announcement that it intends to fine British Airways and Marriott such staggering sums sent shockwaves through the security community, it is concerning only 6% of organisations have taken action to avoid the full potential of the legislation. These announcements should definitely have acted as a clearer warning that organisations cannot risk compliance complacency,” he said.
His comments came in response to the survey’s finding that only 62 percent of decision-makers admitted that GDPR was a top priority for their organisations in the past year. 35 percent of decision-makers said that most of the work done by their organisations to comply with GDPR was carried out prior to the implementation of the data security law.
According to Ilia Kolochenko, founder and CEO of ImmuniWeb, the lack of GDPR compliance among UK businesses is not a question of intent but one of complexity that businesses are struggling to deal with.
“An incremental global shortage of cybersecurity skills considerably exacerbates the situation. Formidable fines pressed by the governments add a supplementary encumbrance upon exhausted security teams. Modern IT technologies are so diverse and intricate that few organisations have a holistic inventory of their digital assets and data being stored and processed in numerous clouds, IoT devices and shared with third-parties, often without due control.
“GDPR starts becoming detrimental in many organisations that abandon important security projects in favour of paper-based compliance. Importantly, GDPR is relatively new law thus many technical details on its practical implementation and construction are still to be decided in the courts.
“This ambiguity likewise hinders the overall progress towards compliance. Organisations should consider their practical business and financial risks when giving priority to certain projects, GDPR is not necessarily the top-tier priority for some businesses,” he said.
Small and medium businesses yet to fully comply with GDPR
The survey commissioned by Egress also found that while 56 percent of large businesses and 51 percent of small businesses are claiming to be fully GDPR compliant, only 39.5 percent of medium-sized businesses are projecting themselves as fully GDPR compliant.
Back in July, a study carried out by Alert Logic found that as many as 66% of small and medium businesses were running versions of the Windows operating system that had either expired, were unsupported, or are due to expire by January next year.
The security firm also found that more than 30 percent of small and medium businesses were still using Exchange 2000, an email server which has been unsupported for nearly ten years. The use of outdated operating systems and email servers makes these organisations highly vulnerable to cyber attacks and also makes them more likely to face stiff fines in the event of data breaches or successful cyber attacks.