The Skillcast Compliance Insights Survey found 4 in 5 employees & their managers believed that they understand & comply with data protection legislation, but do they really?
Is all well on the data protection front?
When GDPR came into effect in 2018, there was a major hullabaloo about data protection. But that quietened down and despite a few eye-catching fines on the surface it seems that all is well on the data protection front.
We decided to investigate further, by retaining YouGov to conduct a major survey of UK companies. The overall picture we found was very positive indeed, but by digging deeper we found some significant causes for concern.
Our UK Corporate Compliance Survey 2019 covered 4,000 employees and decision-makers at UK firms. We asked the respondents about what they observed in terms of data protection compliance incidents and their perception of the level of threat.
At first glance the survey results (see Figure 1) suggest that UK companies seem to have implemented the new EU data protection regime rather well.
Some 83% of employee respondents said that they 'strongly agree' or 'tend to agree' with the statement 'I feel confident about my legal responsibilities in my job under data protection laws' (see Figure 1). The level of confidence was 79% and 80% at medium and small companies respectively, and slightly higher - 87% - at larger companies.
Similarly, 78% of the employee respondents said 'strongly agree' or 'tend to agree' with the statement 'I would fully trust my business with my personal data if I were a customer' (see Figure 2). This number was remarkably consistent across all company sizes.
What's more, 81% of employee respondents claimed they hadn't witnessed data breaches during the previous 12 months within their workplace (see Figure 3). Although again small companies were the outliers, with 86% of respondents claiming they hadn't witnessed a data breach, compared with 77% in medium companies and 79% in large.
Responses from managers (see Figure 4) reflected a similar confidence. Some 78% agreed that employees in their organisation are fully trained on their legal responsibilities towards data protection. Whilst 85% believe that protection of personal data is embedded in all of their business processes and 89% would trust their business fully with their personal data were they a customer.
However, when the researchers dug deeper and asked employee participants whether they had seen colleagues engaging in a variety of specified activities, this revealed a very different picture.
In fact all is not well on the data protection front...
When we dug asked employees whether they had seen colleagues engaging in a variety of specified activities, we found a very different picture (see Figure 5).
We asked the respondents about what they observed in terms of data protection compliance incidents and their perception of the level of threat.
- 17% of the 2,000 employees had witnessed colleagues sending emails to the wrong person
- 19% had seen colleagues leaving personal data, such as letters, contact details and customer transactions, on desks, where they were visible to others
- 10% had heard colleagues talking about customers with friends or family - naming organisation and individuals
- 9% had seen gossip or personal opinions about customers shared in internal emails or messages
- 9% had witnessed others failing to dispose of printed copies of customer details in the confidential waste bin
- Only 57% (not shown in Figure 5) said they had not seen this behaviour
Now let's turn to the managers (decision-makers). When we asked them about their perception of the risk of personal data breaches by employees, only 27% of them said that their organisation was at any kind of risk.
Only eight percent estimated that their business had at least one data security 'near miss' incident per month (see Figure 6). And the same proportion said that they had at least one reportable data breach every year.
So far, so good.
However, only half of managers surveyed said that they were confident that an employee spotting a data security incident would escalate it promptly within the organisation, (that's 1,000 managers at UK firms in the same survey!).
That's depressingly low confidence. But hold on, it gets worse!
Only 38% of managers believed that data breaches would be reported to the ICO within 72 hours. Let's look at that again - just over a third of the managers believe that they can comply with a key requirement of the data protection law in the UK! Leaving nearly two thirds not confident of being able to comply with the law!!
Disclaimer: although our question did make it clear that this statement was in context of compliance with data protection laws, some respondees may have rationalised that many breaches are not reportable. So the figure of 38% may under-represent the number of managers sure about reporting the reportable breaches to the ICO within the 72 hours.
This is a major indictment of data protection readiness and sits at odds with 85% of managers claiming that data protection is embedded in all their business processes (see our previous blog based on the same survey).
Companies need to wake up to the fact that their managers and employees think that they are complying with GDPR and the Data Protection Act 2018, when in fact they are not.
When asked more specifically, over two-fifths of employees say they've witnessed major breaches in the last year, and two-thirds of their managers don't have confidence in the ability of their organisations to comply with the law.
About the UK Corporate Compliance Survey
Skillcast is the leading provider of corporate compliance e-learning and tools to companies in the UK, ranging from FTSE100 giants to small and mid-sized businesses. Given our passion for staff compliance, we commissioned two surveys to assess compliance issues, attitudes and perceptions in the UK corporate workplace.
Our survey was conducted in May 2019 in partnership with YouGov, gathering the opinions of 2,000 employees and 2,000 decision makers. Find more survey results in the Compliance Insights section of our blog.
If you'd like to see more insights into this data by size of firm, industry sector, UK region and demographic, please contact us.
Or if you have your own observations please post in the comments below.