Two years after the EU’s General Data Protection Regulation (GDPR) was first announced, 20% of IT decision makers in the UK are still unaware of its existence, according or research.
The European Parliament formally adopted the GDPR on Thursday, and when it comes into force in 2018 it will be applicable to all organisations with data stored in or passed through Europe. That includes organisations outside of Europe with European customers.
Of the 100 IT decision makers surveyed by Trend Micro that were aware of the GDPR, 29% didn’t think it would apply to their organisation or were unsure.
Failure to comply with the new regulation can have a big impact on a company’s bottom line – with organisations facing fines up to 4% of their annual turnover for non-compliance.
According to research, almost a fifth of companies (18%) aren’t currently aware that they may face fines, and 32% know there are fines but are unaware of what they are.
Furthermore, 26% don’t know how much time they have to become compliant. Just under a third (31%) think their organisation has within six to 12 months to become compliant, with 11% thinking they have within two and three years.
Currently, 55% know about the GDPR requirements, according to the survey, but eight of the respondents didn’t understand what steps they need to take to become compliant.
Only 22% were aware they need to hire a data protection officer and there was also confusion as to who is responsible for ensuring compliance. Two in five (42%) thought the responsibility lies with the organisation as a whole, with a quarter (24%) thinking responsibility lies directly with the CEO.
When asked about steps they have taken to become compliant, organisations listed increased investment in IT security and data protection training as key initiatives, with 44% and 42% of organisations taking those steps respectively.
When it comes to challenges that businesses face, a quarter of the IT decision makers quizzed cited their restricted resources to improve current processes as the biggest barrier to complying with data protection regulations.
Other barriers included lack of formal process in place to notify of a data breach (21%), lack of financial resources (20%), and lack of formal process in place to enable clear identification of data location and ownership (19%).
Rik Ferguson, global VP of security research at Trend Micro, said UK companies lack the motivation to comply with the GDPR.
“As it often happens with regulation, it’s going to take a whipping boy to understand the gravity of the situation for most organisations,” he said. “One high-profile case of a company handing money over for non-compliance under GDPR will be the required wake-up call the rest of the industry needs to get their act together.”