With only five months to go, new government sponsored research on the General Data Protection Regulation has revealed worrying levels of preparation and awareness.
According to the new research from the Department for Digital, Culture, Media and Sport (DCMS), 80% of large businesses have heard of GDPR, and 27% have made changes to how they operate in response.
The DCMS surveyed 1519 businesses, finding that 80% of large businesses (more than 250 people) were aware of the regulation, whilst that figure was 66% for medium businesses, 49% for small businesses (10-49 people) and 31% for two to nine person businesses.
Of those that were aware, just over a quarter of businesses (27%) had made any changes to how they operate, directly as a response to the forthcoming changes to the data protection regulation.
The research found that 36% had created or changed policies and procedures, 21% had deployed additional staff training and 12% had added new technology.
Jon Baines, chair of the National Association of Data Protection Officers (NADPO), told Infosecurity that from looking at the research, he was concerned that DCMS appears to be promulgating an idea that compliance with GDPR is solely or mainly about cybersecurity.
“I would have expected more than 27% of businesses to be making changes,” he said. “As much as GDPR is an evolution not a revolution, I would still expect to see policy review and the introduction/improvement of data protection by design and default into businesses' systems and processes. I think it would have been really helpful for DCMS to have actually published the research questions and methodology.”
The research also surveyed 569 charities, and found 44% were aware of GDPR in total, and also discovered that 36% had created or changed policies and procedures. Further, 12% had installed, changed or updated their anti-virus, and 10% had encrypted data – compared with 5% of businesses.
Baines said: “I'm astounded that there are still some charities who appear not to be aware of GDPR. From my experience there has been so much worry, and consequent publicity, in the sector, that I would have expected awareness to be very close to 100% across the field.”
Darren Anstee, chief technology officer of NETSCOUT Arbor, said that gaining a good understanding of GDPR is still a work-in-progress for many organizations – and it’s important to consider the impact mishandled data might have on the organization itself, customers and employees. It is concerning that at this late stage only 80% of large businesses are aware of the regulation.
“The fact that creating and changing policies in order to comply with the new GDPR legislation is the most common change made by business and charities alike is both good and bad. On the one hand, organizations have obviously taken on board the process and policy changes they need to comply, however, the low percentage shown around other types of change may indicate that the focus has been purely around compliance, rather than looking at the aim of the legislation – to improve the way people’s data is acquired, processed, stored and secured.”