In a global survey of over 1,000 IT leaders, here are some of the key findings:
- 88% of UK firms felt their data was as secure as it could be (global average - 79%)
- Only 57% of firms have a process in place to notify the data authority within 72 hours of data breaches
- Most (73%) were unaware of the colossal fines (up to €20 million or 4% of global annual turnover) for non-compliance, with a quarter (28%) claiming fines "wouldn't bother them"
- 60% cited reputational damage as one of the biggest impacts of a data breach
- There was poor understanding of the basic principles - 79% of UK businesses (global average 64%) didn't know that a customer's date of birth was classed as personal data and 56% wrongly thought that email marketing databases were not personal data
- Just 19% of firms had a C-level executive engaged in GDPR and only 10% had a board-level manager, with the IT department in charge in 61% of cases
- Despite their obligation to use technologies to manage the risks, only 25% of UK businesses had invested in technology to identify intruders on their IT network, just 27% had invested in encryption technologies, with 30% implementing leak prevention technology
Only 11% knew that their firm would be held jointly responsible in the event of EU data loss by a US service provider
Use this checklist to help move GDPR up the boardroom agenda in your firm:
- Get the tone from the top right - If you haven't already, consider holding events and roadshows, creating resources, or organising presentations by the CEO and board to create awareness and demonstrate your commitment to data protection at the highest level. If it matters to you, then it will matter to everyone else across the organisation.
- Appoint a dedicated Data Protection Officer, if required - with responsibility for data protection compliance right across the organisation. Consider how they will operate within your existing organisational structure, the responsibilities they should have (i.e. liaising with regulatory bodies, board-level reporting, providing training, etc), and governance issues.
- Be proactive and aim for data protection by design - Think about how you might integrate data protection into all your processes so data protection and privacy issues are prioritised from the start. Carry out and document Data Protection Impact Assessments (DPIAs) or Privacy Impact Assessments (PIAs) to strengthen protections for individuals.
- Measure and mitigate the risk - As a board, be sure to spend time discussing your cybersecurity and information security issues. What is your risk profile, your attitude to different risks, and appetite in respect of data breaches? Are cyber security and information security issues included in your risk register? Are there named risk owners and specialist teams to track and manage the risk? What role do Audit and Compliance play now and how will this change in future?
- Accept accountability - Be in no doubt. Significant fines can be imposed on firms who don't comply. Cyber security never was and will no longer be just an IT issue. The stakes are high and it's time to step up. Are you ready?