“GDPR compliance only ‘skin deep’ on first anniversary” highlights Shred-it survey

A recent survey commissioned by Shred-it has revealed “a positive understanding and engagement” with the principles of the General Data Protection Regulation (GDPR) among SMEs on its first anniversary. The findings show that 72% of UK SMEs report being ‘very aware’ of the GDPR’s requirements. However, 60% reported that the recent changes to data protection have had a ‘slight’ or ‘no’ impact on their business, while 8% didn’t know. The figures highlight a possible cosmetic understanding of the GDPR and key areas of concern around the more complex aspects of full compliance.

The independent survey of 1,439 SMEs was commissioned to gather insight on attitudes to data protection. It comprised a series of unprompted questions and covered a range of businesses in specific market sectors across the UK with 85% having 10 to 49 employees. When asked about GDPR readiness, nine-in-ten rated themselves as a ‘4’ or ‘5’ out of 5. The main actions taken were reviewing policies (45%) and e-mailing customers for consent (35%). These are considered to be the lighter ‘front end’ aspects of GDPR compliance according to Shred-it’s experts.

The survey data showed that one third (32%) of SMEs reported the GDPR has had a ‘great’ or ‘considerable’ impact on their business. When those businesses that had experienced challenges with GDPR compliance were probed further, they cited data breaches and disclosure requirements as the main challenges, with healthcare (27%) and property (25%) the main industries affected with those specific areas. Small proportions also reported issues with Subject Access Requests, again with healthcare (28%) and property (15%) being the main industries affected.

Ian Osborne, vice-president for the UK and Ireland at Shred-it, stated: “On the surface it’s good news. It’s clear that many feel they’re already compliant with the GDPR having reviewed areas such as ‘consent’ activities and publishing a privacy notice. These typically deal with the ‘front end’ aspects of the GDPR. However, while many say they’re ready, there’s a real question mark over the extent to which the majority of SMEs are prepared to respond to a data breach or how to react to a Subject Access Request, for example. Our survey suggests that there’s still a need for a large education exercise to show SMEs what’s really involved in GDPR compliance at depth.”

Compliance with the GDPR

Of the 10% that said they were ‘not quite’ or ‘not at all’ ready, who rated themselves as a ‘1’ to ‘3’ out of 5, 42% (ie 54 businesses) said they have not been dealing with it. When asked what was holding them back, their unprompted reasons were that data protection authorities were ‘only interested in bigger companies’, it was ‘not applicable to us’, it was ‘too complicated’ and they were ‘too busy’.

Of the 10%, two-in-five would only trust someone in-house to help them comply with the GDPR – only one-in-ten would consider external support, while only 4% would trust the data protection authority for assistance.

The SMEs that would consider external support were unsure what services they needed and when they would intend to look for support.

ICO enforcement action

In the 12 months between 25 May 2018 and 2019, the Information Commissioner’s Office has taken 59 enforcement actions. There have also been numerous examples of enforcement across different industries including high-profile fines levied against large companies and penalty notices involving smaller businesses failing to pay the data protection fee.

Osborne concluded: “Our survey seems to show two clear pictures emerging. One is where the majority of SMEs are genuinely engaged with the process of compliance. Within that group there are many who believe they’re already compliant, but may have missed some more complex parts of the GDPR. It’s the minority in that group who have recognised its greater challenges and are wrestling with its more complex areas. The other is one where some SMEs recognise they’re not ready, seem unwilling to address the issue of GDPR compliance and are reluctant to seek support in any form that would assist them. When the relevant authority’s fines become more common headlines across the UK, we expect that views may change about what compliance really means.”

Regulation continues to evolve

David Blonder, data protection officer at BlackBerry, has also made comment on the GDPR’s first anniversary.

“This time last year, many organisations around the world were scrambling to prepare for the GDPR. All companies affected were fearful that, if they didn’t comply, then they would be hit with a big fine. The reality of the GDPR is that it continues to evolve as cases interpreting the law are still forthcoming, along with anticipated fines and sanctions.”

According to Blonder, compliance is often a journey and, as things stand, 74% of UK organisations are still not GDPR compliant. “While lawsuits have been filed, the EU Data Protection Authorities are taking a measured approach as they apply the GDPR to their cases. According to Andrea Jelinek, chair of the European Data Protection Board and director of the Austrian Data Protection Authority, they’re focusing on quality, not speed. Several cases are expected to be announced within a few months.”

If the first year of the GDPR has taught us anything, Blonder feels, it’s about the importance of data privacy, both to consumers and to organisations. Now more than ever before, consumers recognise how highly sought-after a commodity their personal information really is to organisations and are demanding more from the companies with whom they choose to do business. They also recognise the value that information presents to malicious actors or the impact of misuse by organisations they trusted. Businesses should be taking preventative steps to protect personal information, rather than exploiting it. This means data protection and security should be paramount. Data privacy is no longer a ‘nice to have’ or a mere marketing strapline. Businesses today must ensure that privacy is embedded by design in the development of their services, products and business operations.

In conclusion, Blonder informed Risk Xtra: Ultimately, consumers want to be able to trust businesses with their data. Organisations should be putting data privacy high on their agenda to maintain the trust of their customers and be aware they face heavy fines and reputational damage if personal information is mishandled. As such, policy-makers and leaders across the tech sector need to have a robust discussion about how much regulatory oversight is needed, both to protect privacy and also spur innovation and competition.

Data breach notifications

European privacy authorities have apparently received nearly 65,000 data breach notifications since the EU’s new privacy law went into full effect. Ilia Kolochenko, founder and CEO of web security company ImmuniWeb, stated: “This demonstrates that organisations are now truly concerned about complying with various GDPR requirements, including breach notifications. However, if we look at this differently, one may reasonably infer that a considerable number are insufficiently protecting their data, in turn allowing data breaches to happen. Worse still, these numbers are just a tip of the iceberg. Nation state attackers and professional cyber mercenaries infrequently leave any technical traces. Their intrusions remain widely undetected and thus unreported.”

Kolochenko added: “The GDPR is nevertheless a valuable mechanism to impose fundamental security requirements that many organisations were knowingly ignoring before enforcement in May 2018. We will likely see the first major outcomes, such as better-protected SMEs, fewer data breaches and better-educated users, in a few years’ time. Companies should not view compliance with the GDPR as some form of silver bullet. Rather, they should view it as a sign of good cyber security hygiene.”

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts