The GDPR 'industry-wide education gap' needs to be addressed

The UK lags behind the rest of the world on GDPR knowledge, even though awareness is approaching 100 per cent

The boards of UK businesses are not treating the GDPR with the seriousness it deserves, according to a survey of 1,000 IT leaders around the world by Trend Micro.

There is still a widespread lack of knowledge about what constitutes ‘personal data'. For example, firms don't know that the definition applies to email marketing databases (56 per cent); a customer's date of birth (79 per cent); or customers' postal addresses (29 per cent). Additionally, 10 per cent of companies aren't protecting their customers' email addresses.

On a more positive note, we are finally approaching 100 per cent GDPR awareness: every UK business leader Trend Micro talked to knew about the regulation, and almost nine in ten had seen its requirements. 88 per cent of British firms felt confident that they could protect personal data: nine percentage points ahead of the global average.

However, as seen above, the ability to identify that personal data lags behind. Globally, 64 per cent of firms would not count a date of birth as personal data (a 15-point gap with the UK's result), and 42 per cent do not think that the GDPR's protection requirements apply to an email marketing database: 14 points behind the UK.

Fines are one of the key aspects of the GDPR, but 73 per cent of UK firms (and 67 per cent of global firms) do not know the maximum charge that they could face: up to £17 million, or four per cent of global turnover. Almost a third of British companies told Trend Micro that a fine ‘wouldn't bother them', although that will likely change once they understand the true cost of a data breach.

39 per cent of firms said that GDPR fines would have the biggest impact on their business in the event of a breach, but 60 per cent felt that it would be reputational damage.

Echoing the results of a recent Citrix study, Trend Micro found that there are still questions around data ownership. For example, if a US service provider loses EU data, only 11 per cent of firms correctly said that responsibility falls on both parties. The majority (63 per cent) thought that the EU data owner would be at fault.

About 50 per cent of UK respondents think that C-level executives (primarily the CEO or CISO) should be responsible for GDPR compliance. However, only a fifth have an executive involved in the GDPR process. The majority of UK companies (61 per cent) have given the lead to the IT department.

Rik Ferguson, VP of security research at Trend Micro, said, "With just nine months to go before it comes into force, GDPR should be the biggest boardroom issue of the moment… If organisations don't take the regulation seriously, they could be subject to a fine that's a significant portion of global revenue. The task for the C-Suite now is to see GDPR as a business issue rather than a security issue, before it gets to that stage.

"There's an industry-wide education gap here, and it needs to be addressed."