An independent survey, commissioned by Netskope, of 2,000 British adults has offered a snapshot of current understanding of the GDPR amongst adults of working age, and the extent to which employers have already informed staff about the regulation. The survey also asked respondents to state the maximum fine possible under the GDPR.
As mentioned, two thirds of British adults (62.9%) have never heard of the EU GDPR. Additionally, over 70% have yet to be informed of the regulation by their employers.
Failure to educate staff on regulation
Asked the question of whether they were aware of the GDPR, fewer than one in ten respondents (9.6%) claimed to have a detailed knowledge of the regulation, with six in ten (62.9%) saying they had never heard of it.
A further 14.1% had heard of the regulation but did not know what it was. 13.4% said they had some general understanding of the GDPR.
>See also: The true cost of GDPR for British businesses
When asked if their employer had informed them about the GDPR and its effect on working processes, seven in ten employees (70.4 %) said that they hadn’t been told anything about the GDPR yet by their employers.
A further 8.6% said it had been mentioned but that they were unsure of the details of the regulation, and only one in five said they’d been offered “plenty” of information about the GDPR.
Understanding the financial implications for non-compliance
When asked to state the maximum fine possible for a company found to have breached the regulation and infringed upon data subjects’ rights in the process, just 1% of respondents were able to accurately pinpoint the correct maximum fine – 20 million euros or 4% of annual worldwide turnover (whichever is larger).
One in five UK office workers thought the maximum fine would be between 1 and 1000 euros – underestimating the sum by a factor of 20,000.
One in ten thought the maximum fine was 1 million euros – a sum representing a mere 5% of the maximum fine under the GDPR.
In 2016, TalkTalk was issued with a £400,000 fine by the ICO for security failings that allowed a cyber attacker to access customer data “with ease”.
Even if translated into a lower tier GDPR fine (the higher of 2% of annual worldwide turnover or 10 million euros), this fine would have increased to £3,676,000 – demonstrating the extent of the financial incentive for businesses to tackle GDPR compliance.
André Stewart, VP EMEA, Netskope, explained that “these findings show that organisations have a lot of work to do in order to educate employees on the GDPR and the safe data handling behaviour needed to achieve compliance. With seven in 10 UK adults yet to be educated about the GDPR by their employers, it’s possible that many employers are either unaware of the importance of coaching staff or they are not yet making the GDPR a high priority. Unfortunately, both approaches are misguided and leave companies open to GDPR compliance breaches – and massive potential fines as a result.”
“If employees haven’t been taught what security best practice looks like, they can’t do their everyday jobs securely and that presents a major risk to the organisation. Employers will need to show that they have trained their employees on the GDPR to achieve compliance. The amount of effort put into coaching employees on secure data handling is likely to be one of the questions regulators ask when deciding whether to penalise organisations.”
Majority of cloud services still not GDPR ready
On average, IT departments estimated that there are 40-50 cloud services in use in their organisation.
However, the January 2017 Netskope Cloud Report found that the average number of cloud services in use per enterprise in EMEA now stands at 845.
66% of all cloud services were judged to fall short of the standards required under the GDPR, meaning that they lack the proper residency, privacy, and security controls required for compliance – or were not close enough to the required standard to be considered capable of achieving compliance by the May 2018 deadline.
Drilling further into the report data shows that 82% of cloud services do not encrypt data at rest, while 66% do not specify that their customers own the data in their terms of service, and 42 % do not allow admins to enforce password controls.