It has been more than a year since GDPR came into force, but the majority of businesses in the UK are still not in line with the data regulation. This was concluded by security firm Egress which, after polling decision-makers in the country, realised that 52 per cent were still not fully compliant.
More than a third (37 per cent) have had an incident reported to the Information Commissioner’s Office (ICO) within a year, and out of that number, almost a fifth (17 per cent) have had to do it multiple times.
It seems as mid-sized companies are either experiencing more attacks, or are more diligent when it comes to reporting, given that more than half (53 per cent) reported a data breach to the ICO in the last 12 months, compared to 36 per cent of small companies and 23 per cent of enterprises.
For a third, GDPR is not that big of a priority any more. Among those that do prioritise getting in line with the new regulation, there are two major elements on which organisations focus: auditing what data gets collected and why, and making sure they have a Data Protection Office on board.
Tony Pepper, CEO, Egress, says that many organisations are opting for the “almost compliant is close enough approach”.
“The wait of more than a year between implementation and the first action taken by the ICO under GDPR seemed to lead to a perception outside the security industry that the regulation was ‘all bark and no bite’. Although the authority’s announcement that it intends to fine British Airways and Marriott such staggering sums sent shockwaves through the security community, it is concerning only six per cent of organisations have taken action to avoid the full potential of the legislation,” he added.
“These announcements should definitely have acted as a clearer warning that organisations cannot risk compliance complacency.”