IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

General Data Protection Regulation (GDPR): 25% of employees storing data in public without permission

Even HR is breaking the rules, using public cloud services without the organisation's permission

Businesses are putting themselves in the firing line for big fines if they don't comply with GDPR guidelines, Sharp has revealed, with almost a quarter of employees storing confidential information on the public cloud, even if their organisation hasn't sanctioned it.

In fact, one in 12 employees are able to access information they shouldn't be able to view, putting both customers and the company at risk of data leaks. The problem has been amplified because such a large proportion of the workforce is now able to work remotely, Sharp said in its report.

"It is up to businesses to find the right balance between modern ways of working and secure data sharing. When you also consider that 75% of employees access work documents on the go, businesses need to do more to keep up with their workers," Stuart Sykes, managing director at Sharp Business Systems, said.

The company added that almost a quarter of employees are using public file sharing sites without the permission of the business and a third are taking work home to finish, without getting approval from their managers to take data off-premises.

Even HR are breaking the rules, Sharp said, despite them being the department usually setting boundaries. 30% of HR managers said they had stored information in the public cloud, despite knowing the risks.

Security and privacy expert Dr Karen Renaud said that the results showed a need for businesses to provide better support for employees: "As long as businesses continue to require or implicitly overlook insecure behaviours, security will always be sacrificed."

05/07/2017: Councils are 'seriously unprepared' for GDPR

The General Data Protection Regulation (GDPR) will give people more control over their personal information when it is passed into law in 2018, superseding the UK's outdated Data Protection Act, which was drafted in the 1990s.

The regulation requires no special legislation to come into force in the UK, making the two-year countdown a hard deadline for companies to get into shape for.

GDPR changes the concept of personal data, expanding its definition to include people's IP addresses and online identifiers, as well as forcing companies to gain people's explicit consent to use their data.

It aims to make it easier for citizens to find out what data companies hold on them, and giving them more details about how their data is handled and what it is used for.

People will also have a right to port all their data from one company to another, and to know when their data has been hacked, as well as the right to be forgotten, which will require companies to delete people's personal data when asked to.

These new rules represent dramatic changes to the way businesses are required to handle data, and the consequences for failing to look after such information properly can be drastic.

Any company that suffers a data breach will face a fine of up to 20 million or four per cent of their annual global turnover, compared to a maximum existing penalty of 500,000.


The vast majority of councils in the UK have not yet allocated budget towards meeting the various requirements of the General Data Protection Regulation (GDPR).

With the regulations coming into force in May 2018, 82% have not earmarked money to deal with implementing the EU data protection rules, which come into force on 25 May 2018. The information came to light following a freedom of information (FoI) request by M-Files Corporation.

The company sent FoI requests to all 32 London boroughs and 44 other local authorities throughout the country, asking councils about their GDPR preparedness.

It found that 76% of London councils have not yet allocated budget towards making provisions to ensure compliance with GDPR, with the same figure for the rest of the country standing at 89% (averaging 82%). Additionally, 56% of the local authorities contacted have still not appointed a data protection officer, despite this being stipulated as a requirement by GDPR for public bodies.

Julian Cook, vice president of UK Business at M-Files, said that the finding point to a "serious lack of awareness" of the importance of GDPR and the challenges it will pose for local government.

"At this stage, we would have expected local authorities to be further along in their preparation efforts, but the data demonstrate that this is far from the case," he said. "Inadequate preparation for GDPR will have serious financial implications if these boroughs ultimately do not comply with the new rules."

He added that local authorities face a constant struggle to manage a series of diverse responsibilities, often having to work with limited budget and resources.

"Effective data management is often one of the most labour-intensive of these challenges, with local authorities tasked with administering and protecting ever-increasing amounts of sensitive data, such as personally identifiable information (PII)," added Cook.

Featured Resources

IT best practices for accelerating the journey to carbon neutrality

Considerations and pragmatic solutions for IT executives driving sustainable IT

Free Download

The Total Economic Impact™ of IBM Spectrum Virtualize

Cost savings and business benefits enabled by storage built with IBMSpectrum Virtualize

Free download

Using application migration and modernisation to supercharge business agility and resiliency

Modernisation can propel your digital transformation to the next generation

Free Download

The strategic CFO

Why finance transformation propels business value

Free Download


Microsoft's EU Data Boundary will begin staggered rollout in January 2023
cloud computing

Microsoft's EU Data Boundary will begin staggered rollout in January 2023

15 Dec 2022
EU fights back against 'legalised' Europol GDPR breaches
data protection

EU fights back against 'legalised' Europol GDPR breaches

23 Sep 2022
EU to introduce strict IoT security regulation
Policy & legislation

EU to introduce strict IoT security regulation

9 Sep 2022

Most Popular

The big PSTN switch off: What’s happening between now and 2025?

The big PSTN switch off: What’s happening between now and 2025?

13 Mar 2023
Pension Protection Fund confirms employee data exposed in GoAnywhere breach

Pension Protection Fund confirms employee data exposed in GoAnywhere breach

24 Mar 2023
Some GitHub users must take action after RSA SSH host key exposed

Some GitHub users must take action after RSA SSH host key exposed

24 Mar 2023