Only half of UK businesses are aware of the upcoming EU Data Protection Regulation, compared with 87% awareness in Germany, according to research from Trend Micro.
The survey of 850 senior IT decision makers across Europe revealed a lack of basic knowledge about the EU Data Protection Regulation, while British businesses appear to know even less than their continental counterparts.
Of the 250 British respondents in the survey, 50% were completely unaware of the impending legislation and just 10% said they fully understood what steps their organisation needs to take to achieve compliance.
More than eight in ten British respondents (85%) believe their organisation faces significant challenges in order to comply with the data protection regulation, with a quarter (25%) saying they don’t even think it’s realistic to adhere to. Lack of employee awareness (44%) and restricted resources (31%) were highlighted as the biggest barriers.
The EU Data Protection Regulation is a set of legislation that aims to comprehensively reform data protection, strengthen online privacy rights and boost Europe’s digital economy. If the regulations are broken, fines could be as high as €100million or 5% of global revenue.
While 95% of German respondents were aware there would be fines, nearly a quarter (25%) of British businesses had no idea there would be. And nearly half (44%) of UK businesses said 2-4 years was a more realistic timeframe for them to comply.
“With ratification expected in 2014, it’s alarming to see how little is known about such key privacy regulations, “said Rik Ferguson, Vice President Security Research at Trend Micro. “This effects every organisation, regardless of size. If a company processes data then it needs to be aware.
“As companies look to gain maximum value from a new generation of big data projects, data privacy should be a board level discussion. This is not just an IT issue, duty to comply falls to everyone from the receptionist right up to the CEO.”
Where does responsibility lie?
Even among the UK businesses that are aware of the regulations, there is still a lot of confusion about who it will apply to and whose problem it will be to deal with. For example, 24% of senior IT decision makers either didn’t think the regulation would apply to their organisation or didn’t know.
Nearly four in five (78%) British respondents believe that some responsibility for ensuring compliance with the proposed EU General Data Protection Regulation lies with the organisation as a whole.
Over a quarter (28%) place responsibility for this with a data protection officer and around a tenth with the government (10%) or a business insurance provider (10%).
Around two thirds (62%) of respondents believe the proposed EU General Data Protection Regulation would apply to EU registered companies and over a third (34%) think it would apply to companies in business with EU companies.
Nearly half the sample (48%) did correctly single out that it would apply to any company that deals with EU resident data, even if that company does not have a legal entity within any of the EU countries.
More than eight in ten (84%) UK respondents report that their organisation will need to take steps in order to become compliant. To achieve this, the majority plan to increase employee training on data protection (57%), half (51%) plan to increase investment in IT security (51%) and 27% will be improving their business insurance policy in the event of a data breach.
“These findings need to serve as a wake-up call, both to businesses and governments that these changes are coming and we all need to prepare,” said Ferguson. “If they don’t take action there’s the very real chance that they might wake up with a nasty fine on their hands that could potentially have a major impact on their business.
“I would recommend that every business starts the process of compliance with a health check or assessment of where the organisation is right now. What data is stored, how it is processed and what policies currently govern it. This will put organisations in a position to know where the holes are in their data policy and what needs addressing.”