FoI request reveals widespread lack of readiness for data protection law

The General Data Protection Regulation (GDPR) will give people more control over their personal information when it is passed into law in 2018, superseding the UK’s outdated Data Protection Act, which was drafted in the 1990s.

The regulation requires no special legislation to come into force in the UK, making the two-year countdown a hard deadline for companies to get into shape for.

GDPR changes the concept of personal data, expanding its definition to include people’s IP addresses and online identifiers, as well as forcing companies to gain people’s explicit consent to use their data.

It aims to make it easier for citizens to find out what data companies hold on them, and giving them more details about how their data is handled and what it is used for.

People will also have a right to port all their data from one company to another, and to know when their data has been hacked, as well as the right to be forgotten, which will require companies to delete people’s personal data when asked to.

These new rules represent dramatic changes to the way businesses are required to handle data, and the consequences for failing to look after such information properly can be drastic.

Any company that suffers a data breach will face a fine of up to €20 million or four per cent of their annual global turnover, compared to a maximum existing penalty of £500,000.

Latest GDPR news

05/07/2017:

The vast majority of councils in the UK have not yet allocated budget towards meeting the various requirements of the General Data Protection Regulation (GDPR).

With the regulations coming into force in May 2018, 82% have not earmarked money to deal with implementing the EU data protection rules, which come into force on 25 May 2018. The information came to light following a freedom of information (FoI) request by M-Files Corporation.

The company sent FoI requests to all 32 London boroughs and 44 other local authorities throughout the country, asking councils about their GDPR preparedness.

It found that 76% of London councils have not yet allocated budget towards making provisions to ensure compliance with GDPR, with the same figure for the rest of the country standing at 89% (averaging 82%). Additionally, 56% of the local authorities contacted have still not appointed a data protection officer, despite this being stipulated as a requirement by GDPR for public bodies.

Julian Cook, vice president of UK Business at M-Files, said that the finding point to a “serious lack of awareness” of the importance of GDPR and the challenges it will pose for local government.

“At this stage, we would have expected local authorities to be further along in their preparation efforts, but the data demonstrate that this is far from the case,” he said. “Inadequate preparation for GDPR will have serious financial implications if these boroughs ultimately do not comply with the new rules.”

He added that local authorities face a constant struggle to manage a series of diverse responsibilities, often having to work with limited budget and resources.

“Effective data management is often one of the most labour-intensive of these challenges, with local authorities tasked with administering and protecting ever-increasing amounts of sensitive data, such as personally identifiable information (PII),” added Cook.

19/06/2017: 23% of small UK firms haven’t started preparations for GDPR

Nearly a quarter of small UK businesses still haven’t started preparing for data protection rules that are less than a year away, according to a survey.

Around one in 10 enterprises with 500 or more employees are in the same position, NetApp’s survey of 253 CIOs and IT leaders in the UK found.

The EU’s General Data Protection Regulation (GDPR) will apply in the UK from 25 May 2018, and will introduce stringent new measures designed to give EU citizens more control over how organisations use their personal information.

Tough fines will apply to organisations that breach the law, with firms facing penalties of up to 4% of their annual turnover or €20 million, whichever is greater.

NetApp’s research found that the major issue seems to be a lack of understanding and awareness, with only 7% of small business respondents saying they fully understand the rules, and 14% admitting they don’t even know what GDPR is.

With only 19% of small business IT decision makers and CIOs claiming to be totally prepared for the legislation deadline, compared with 34% of larger business respondents, smaller businesses could fare worse under the new regulation’s heavy fines, NetApp said.

Marketing manager Martin Warren said: “The risks of non-compliance for a smaller business could be catastrophic — by virtue of size, they are even more vulnerable to the hefty fines for non-compliance.”

But a solid 28% of small business respondents said they have ‘a good understanding’ of GDPR, a figure higher than those from both medium (27%) and larger businesses (21%).
16/06/2017: Just 6% of UK firms regard GDPR compliance as a priority

UK companies are lagging behind France in preparing for the EU’s General Data Protection Regulation (GDPR), according to a new survey.

Just 6% of British firms have made complying with the new data protection rules a priority, security firm Sophos’s research, conducted last month, found, compared to 30% of French businesses.

Sophos’s survey of 625 IT decision makers in the UK, France, Belgium, the Netherlands and Luxembourg also discovered that 54% of respondents had little understanding that failure to comply could result in a fine of up to 4% of a business’s annual turnover or €20 million, whichever is greater.

One in five respondents said such a fine would force them to close, a figure that rose to one in two SMB respondents. More than a third surveyed admitted a GDPR fine would result in redundancies.

But the data showed that the UK considers the data protection measures less of a priority than the other European countries – 20% of British companies deemed GDPR a low priority, compared to 8% in France.

While one in five French firms are confident they’re compliant, that figure sinks to 8% in the UK, despite GDPR coming into effect from 25 May 2018.

“Getting ready for GDPR is a long process. If regulators demonstrate that they are prepared to impose the maximum fines in May 2018, then businesses will seriously regret not being prepared,” said John Shaw, vice president of product management for the end user group at Sophos.

So far, just 42% of firms have created a data protection officer role – a requirement under GDPR for public authorities and companies carrying out large scale behaviour tracking. Meanwhile, only half of IT decision makers told Sophos their company is able to gain consent from people whose data they’re collecting – a key tenet under GDPR.

Less than half said they’re able to delete people’s data when requested, as per GDPR’s ‘right to be forgotten’ policy, and a similar figure said they can report a data breach to their data protection authority within the 72-hour deadline.

“With data breaches occurring on an almost daily basis across Europe, I would argue that the top priority should actually be to reduce the risk of the data breaches,” said Shaw. “Reducing that risk doesn’t need to be complicated – concentrate on stopping the biggest causes of data breaches by making sure the basics are in place: keep all operating systems and software up to date, implement encryption for sensitive data, and educate all employees about the risk of phishing and other social engineering attacks.”

19/05/2017: Employees putting company GDPR preparations at risk

Research by M-Files has revealed that employees are making it difficult for businesses to prepare for the incoming GDPR legislation because they are using their personal devices and personal cloud accounts to access and store company information.

A third of workers are using shadow IT, rather than going through company channels to ensure the way they handle information is sufficiently secure.

M-Files found that 33% of employees are using their personal devices rather than business-provisioned equipment to access and share company information, while 31% are using personal cloud services without the go-ahead from company IT departments.

“Going against company policies on sharing and accessing documents may seem relatively harmless, but it can have costly consequences, leaving organisations exposed to heightened security risks and compliance issues,” Julian Cook, VP of UK business at M-Files, said.

“With the General Data Protection Regulation (GDPR) on our doorsteps it’s critical that organisations maintain control and visibility of their documents and information handling practices.”

The survey questioned 250 IT decision makers about how they’re protecting data in their organisation and it was revealed that 23% of those businesses had experienced at least one security breach in the past year because employees wern’t sticking to the companywide data security policies.

“The Shadow IT problem can be fought on two fronts. As a first step, organisations should implement and continuously reinforce a clear policy on the use of personal devices and file sync-and-share apps as well as communicate to staff the impacts of not adhering to these guidelines, which can negatively impact the company,” Cook advised.

“But perhaps more important is understanding and addressing the root causes of Shadow IT, which in most cases points to deficiencies in existing information management solutions and approaches.”