General Data Protection Regulation (GDPR): 25% of employees storing data in public without permission

19/06/2017: 23% of small UK firms haven't started preparations for GDPR

Nearly a quarter of small UK businesses still haven't started preparing for data protection rules that are less than a year away, according to a survey.

Around one in 10 enterprises with 500 or more employees are in the same position, NetApp's survey of 253 CIOs and IT leaders in the UK found.

The EU's General Data Protection Regulation (GDPR) will apply in the UK from 25 May 2018, and will introduce stringent new measures designed to give EU citizens more control over how organisations use their personal information.

Tough fines will apply to organisations that breach the law, with firms facing penalties of up to 4% of their annual turnover or 20 million, whichever is greater.

NetApp's research found that the major issue seems to be a lack of understanding and awareness, with only 7% of small business respondents saying they fully understand the rules, and 14% admitting they don't even know what GDPR is.

With only 19% of small business IT decision makers and CIOs claiming to be totally prepared for the legislation deadline, compared with 34% of larger business respondents, smaller businesses could fare worse under the new regulation's heavy fines, NetApp said.

Marketing manager Martin Warren said: "The risks of non-compliance for a smaller business could be catastrophic -- by virtue of size, they are even more vulnerable to the hefty fines for non-compliance."

But a solid 28% of small business respondents said they have 'a good understanding' of GDPR, a figure higher than those from both medium (27%) and larger businesses (21%).16/06/2017: Just 6% of UK firms regard GDPR compliance as a priority

UK companies are lagging behind France in preparing for the EU's General Data Protection Regulation (GDPR), according to a new survey.

Just 6% of British firms have made complying with the new data protection rules a priority, security firm Sophos's research, conducted last month, found, compared to 30% of French businesses.

Sophos's survey of 625 IT decision makers in the UK, France, Belgium, the Netherlands and Luxembourg also discovered that 54% of respondents had little understanding that failure to comply could result in a fine of up to 4% of a business's annual turnover or 20 million, whichever is greater.

One in five respondents said such a fine would force them to close, a figure that rose to one in two SMB respondents. More than a third surveyed admitted a GDPR fine would result in redundancies.

But the data showed that the UK considers the data protection measures less of a priority than the other European countries 20% of British companies deemed GDPR a low priority, compared to 8% in France.

While one in five French firms are confident they're compliant, that figure sinks to 8% in the UK, despite GDPR coming into effect from 25 May 2018.

"Getting ready for GDPR is a long process. If regulators demonstrate that they are prepared to impose the maximum fines in May 2018, then businesses will seriously regret not being prepared," said John Shaw, vice president of product management for the end user group at Sophos.

So far, just 42% of firms have created a data protection officer role a requirement under GDPR for public authorities and companies carrying out large scale behaviour tracking. Meanwhile, only half of IT decision makers told Sophos their company is able to gain consent from people whose data they're collecting a key tenet under GDPR.

Less than half said they're able to delete people's data when requested, as per GDPR's 'right to be forgotten' policy, and a similar figure said they can report a data breach to their data protection authority within the 72-hour deadline.

"With data breaches occurring on an almost daily basis across Europe, I would argue that the top priority should actually be to reduce the risk of the data breaches," said Shaw. "Reducing that risk doesn't need to be complicated - concentrate on stopping the biggest causes of data breaches by making sure the basics are in place: keep all operating systems and software up to date, implement encryption for sensitive data, and educate all employees about the risk of phishing and other social engineering attacks."

19/05/2017: Employees putting company GDPR preparations at risk

Research by M-Files has revealed that employees are making it difficult for businesses to prepare for the incoming GDPR legislation because they are using their personal devices and personal cloud accounts to access and store company information.

A third of workers are using shadow IT, rather than going through company channels to ensure the way they handle information is sufficiently secure.

M-Files found that 33% of employees are using their personal devices rather than business-provisioned equipment to access and share company information, while 31% are using personal cloud services without the go-ahead from company IT departments.

"Going against company policies on sharing and accessing documents may seem relatively harmless, but it can have costly consequences, leaving organisations exposed to heightened security risks and compliance issues," Julian Cook, VP of UK business at M-Files, said.

"With the General Data Protection Regulation (GDPR) on our doorsteps it's critical that organisations maintain control and visibility of their documents and information handling practices."

The survey questioned 250 IT decision makers about how they're protecting data in their organisation and it was revealed that 23% of those businesses had experienced at least one security breach in the past year because employees wern't sticking to the companywide data security policies.

"The Shadow IT problem can be fought on two fronts. As a first step, organisations should implement and continuously reinforce a clear policy on the use of personal devices and file sync-and-share apps as well as communicate to staff the impacts of not adhering to these guidelines, which can negatively impact the company," Cook advised.

"But perhaps more important is understanding and addressing the root causes of Shadow IT, which in most cases points to deficiencies in existing information management solutions and approaches."

General Data Protection Regulation (GDPR)

Clare Hopping
Freelance writer

Clare is the founder of Blue Cactus Digital, a digital marketing company that helps ethical and sustainability-focused businesses grow their customer base.

Prior to becoming a marketer, Clare was a journalist, working at a range of mobile device-focused outlets including Know Your Mobile before moving into freelance life.

As a freelance writer, she drew on her expertise in mobility to write features and guides for ITPro, as well as regularly writing news stories on a wide range of topics.