Clearswift Survey: “Board members at odds with management on level of GDPR compliance”

New research conducted by data security company Clearswift has shown that Board members are more confident than management about their particular organisation’s ability to comply with the General Data Protection Regulation (GDPR) in time for the 25 May deadline set by the European Union.

The research, which surveyed 600 senior business decision-makers and 1,200 employees across the UK, the US, Germany and Australia, reveals that 41% of Board-level respondents think they have all of the necessary processes in place to be GDPR compliant, yet only 25% of senior management and even fewer middle management respondents (21%, in fact) think the same.

It’s important that Boards of Directors understand the true state of GDPR compliance in order to address any issues in time for the deadline, and also to identify ways of growing their business through better information governance.

When it comes to the ‘Right to be Forgotten’, which entitles EU citizens to request that an organisation deletes all references to them that it holds, over half (56%) of Board-level respondents think that their organisation could handle hundreds of requests at once. However, the detailed Clearswift survey suggests that only a third (36%) of middle management agree with that view.

Not only does the research show a differing opinion between the Board and management-level respondents, but it also reveals insights into the extent of data duplication that exists within organisations. For example, 49% of Board-level respondents and 31% of middle management feel their organisation definitely duplicates customer data.

Two-thirds (66%) of Board-level respondents and 70% of senior management believe that employees in their organisation have downloaded work documents to their personal devices (such as a laptop, smart phone or tablet) that haven’t subsequently been deleted (either unintentionally or otherwise).

Misplaced confidence on GDPR compliance

Dr Guy Bunker

Dr Guy Bunker

Dr Guy Bunker, senior vice-president for products at Clearswift, said: “Board-level respondents may have a misplaced confidence when it comes to their organisation’s level of GDPR compliance. However, once a Board becomes aware that its confidence may be misplaced, then it’s immediately one step closer to compliance. By engaging closely with management, the Board will have a much clearer and more accurate view of the state of compliance, and will then be able to put measures in place to address any issues unveiled.”

Bunker continued: “Middle management is more likely to have a better view of the data that the organisation holds – where it’s saved and how it’s being used – because they’re more familiar with the day-to-day operations and challenges that members of staff may encounter. For example, if a company doesn’t have its own private file sharing service, this may drive employees to use third party sites or download data to a USB. Management should be encouraged by the Board of Directors not to filter out ‘bad’ information. For example, if data duplication is rife, the Board needs to know about this such that it can address the issue in time for the GDPR deadline.”

In conclusion, Bunker informed Risk UK: “The GDPR can be the first step towards better information governance. GDPR compliance is about being able to recognise a particular data set and protect it accordingly. The same processes and technology can be used to protect other types of information deemed valuable to the organisation. Product design documents, price lists, patent applications and even information around service pricing and contract bids would all fall into this category.”

*Clearswift has published a White Paper, entitled ‘The GDPR Divide: Board Views versus Middle Management’, which is available for download at:

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts