IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

General Data Protection Regulation (GDPR): 25% of employees storing data in public without permission

Even HR is breaking the rules, using public cloud services without the organisation's permission

19/06/2017: 23% of small UK firms haven't started preparations for GDPR

Nearly a quarter of small UK businesses still haven't started preparing for data protection rules that are less than a year away, according to a survey.

Around one in 10 enterprises with 500 or more employees are in the same position, NetApp's survey of 253 CIOs and IT leaders in the UK found.

The EU's General Data Protection Regulation (GDPR) will apply in the UK from 25 May 2018, and will introduce stringent new measures designed to give EU citizens more control over how organisations use their personal information.

Tough fines will apply to organisations that breach the law, with firms facing penalties of up to 4% of their annual turnover or 20 million, whichever is greater.

NetApp's research found that the major issue seems to be a lack of understanding and awareness, with only 7% of small business respondents saying they fully understand the rules, and 14% admitting they don't even know what GDPR is.

With only 19% of small business IT decision makers and CIOs claiming to be totally prepared for the legislation deadline, compared with 34% of larger business respondents, smaller businesses could fare worse under the new regulation's heavy fines, NetApp said.

Marketing manager Martin Warren said: "The risks of non-compliance for a smaller business could be catastrophic -- by virtue of size, they are even more vulnerable to the hefty fines for non-compliance."

But a solid 28% of small business respondents said they have 'a good understanding' of GDPR, a figure higher than those from both medium (27%) and larger businesses (21%).16/06/2017: Just 6% of UK firms regard GDPR compliance as a priority

UK companies are lagging behind France in preparing for the EU's General Data Protection Regulation (GDPR), according to a new survey.

Just 6% of British firms have made complying with the new data protection rules a priority, security firm Sophos's research, conducted last month, found, compared to 30% of French businesses.

Sophos's survey of 625 IT decision makers in the UK, France, Belgium, the Netherlands and Luxembourg also discovered that 54% of respondents had little understanding that failure to comply could result in a fine of up to 4% of a business's annual turnover or 20 million, whichever is greater.

One in five respondents said such a fine would force them to close, a figure that rose to one in two SMB respondents. More than a third surveyed admitted a GDPR fine would result in redundancies.

But the data showed that the UK considers the data protection measures less of a priority than the other European countries 20% of British companies deemed GDPR a low priority, compared to 8% in France.

While one in five French firms are confident they're compliant, that figure sinks to 8% in the UK, despite GDPR coming into effect from 25 May 2018.

"Getting ready for GDPR is a long process. If regulators demonstrate that they are prepared to impose the maximum fines in May 2018, then businesses will seriously regret not being prepared," said John Shaw, vice president of product management for the end user group at Sophos.

So far, just 42% of firms have created a data protection officer role a requirement under GDPR for public authorities and companies carrying out large scale behaviour tracking. Meanwhile, only half of IT decision makers told Sophos their company is able to gain consent from people whose data they're collecting a key tenet under GDPR.

Less than half said they're able to delete people's data when requested, as per GDPR's 'right to be forgotten' policy, and a similar figure said they can report a data breach to their data protection authority within the 72-hour deadline.

"With data breaches occurring on an almost daily basis across Europe, I would argue that the top priority should actually be to reduce the risk of the data breaches," said Shaw. "Reducing that risk doesn't need to be complicated - concentrate on stopping the biggest causes of data breaches by making sure the basics are in place: keep all operating systems and software up to date, implement encryption for sensitive data, and educate all employees about the risk of phishing and other social engineering attacks."

19/05/2017: Employees putting company GDPR preparations at risk

Research by M-Files has revealed that employees are making it difficult for businesses to prepare for the incoming GDPR legislation because they are using their personal devices and personal cloud accounts to access and store company information.

A third of workers are using shadow IT, rather than going through company channels to ensure the way they handle information is sufficiently secure.

M-Files found that 33% of employees are using their personal devices rather than business-provisioned equipment to access and share company information, while 31% are using personal cloud services without the go-ahead from company IT departments.

"Going against company policies on sharing and accessing documents may seem relatively harmless, but it can have costly consequences, leaving organisations exposed to heightened security risks and compliance issues," Julian Cook, VP of UK business at M-Files, said.

"With the General Data Protection Regulation (GDPR) on our doorsteps it's critical that organisations maintain control and visibility of their documents and information handling practices."

The survey questioned 250 IT decision makers about how they're protecting data in their organisation and it was revealed that 23% of those businesses had experienced at least one security breach in the past year because employees wern't sticking to the companywide data security policies.

"The Shadow IT problem can be fought on two fronts. As a first step, organisations should implement and continuously reinforce a clear policy on the use of personal devices and file sync-and-share apps as well as communicate to staff the impacts of not adhering to these guidelines, which can negatively impact the company," Cook advised.

"But perhaps more important is understanding and addressing the root causes of Shadow IT, which in most cases points to deficiencies in existing information management solutions and approaches."

Featured Resources

IT best practices for accelerating the journey to carbon neutrality

Considerations and pragmatic solutions for IT executives driving sustainable IT

Free Download

The Total Economic Impact™ of IBM Spectrum Virtualize

Cost savings and business benefits enabled by storage built with IBMSpectrum Virtualize

Free download

Using application migration and modernisation to supercharge business agility and resiliency

Modernisation can propel your digital transformation to the next generation

Free Download

The strategic CFO

Why finance transformation propels business value

Free Download


Microsoft's EU Data Boundary will begin staggered rollout in January 2023
cloud computing

Microsoft's EU Data Boundary will begin staggered rollout in January 2023

15 Dec 2022
EU fights back against 'legalised' Europol GDPR breaches
data protection

EU fights back against 'legalised' Europol GDPR breaches

23 Sep 2022
EU to introduce strict IoT security regulation
Policy & legislation

EU to introduce strict IoT security regulation

9 Sep 2022

Most Popular

The big PSTN switch off: What’s happening between now and 2025?

The big PSTN switch off: What’s happening between now and 2025?

13 Mar 2023
Pension Protection Fund confirms employee data exposed in GoAnywhere breach

Pension Protection Fund confirms employee data exposed in GoAnywhere breach

24 Mar 2023
Online Safety Bill: Why is Ofcom being thrown under the bus?
Policy & legislation

Online Safety Bill: Why is Ofcom being thrown under the bus?

24 Mar 2023