UK firms too complacent regarding GDPR compliance, says new research
UK businesses are falling into traps of complacency when it comes to preparing for the upcoming Global Data Protection Regulation (GDPR), according to new research.
A report by NTT Security, the security division of NTT Group, claims UK firms are still unsure on what to do to ensure full compliance ahead of the May 25, 2018 deadline. While some have proactively implemented programmes, gaps still exist, leaving them vulnerable to fines of up to €20 million or four percent of their annual global turnover, whichever is higher.
“Complacency could well become an organisation’s new enemy,” said Rob Bickmore, principal security consultant at NTT Security. “Businesses know that GDPR is fast approaching, but there is uncertainty as to what specifically is required and where the focus needs to be. Our comprehensive range of GDPR services fills the gaps and translates GDPR into a language that everyone, from the top down, will understand and be able to act upon.”
Some of the most common complacency traps include the misconception that the ISO27001 standard is enough to cover GDPR. NTT Security says implementation of controls aligned to this certification is a great start, but they are only part of the bigger picture.
Firms also think the efforts they put into prepare for PCI DSS will be enough, whereas any controls implemented for PCI DSS will need to be extended to include Personal Identifiable Information (PII), which even then is only part of the GDPR requirements.
Some organisations also believe their GDPR programme is being handled by the legal or IT team. In fact, GDPR compliance is everyone’s responsibility, says the report. It should not be left to one team – legal, IT, HR and other business functions must all be involved with visible support from the executive level.
In addition, some firms think it is not their problem if they have outsourced all data processing to a third party. However, while processors are liable for protecting PII under the GDPR, the responsibility is still on the data controller to ensure processors implement ‘technical and organisational measures’ to protect the information.
“A successful GDPR programme has sustainable compliance at its heart. The benefits of getting to grips with the requirements of the regulation and using it to improve an organisation’s overall operational and information security processes cannot be overestimated,” said Bickmore.