According to new research, when it comes to data compliance matters, one in five business decision makers within the UK admit they do not know which compliance regulations their company is subject to, while a worrying number do not believe the forthcoming General Data Protection Regulation (GDPR) applies to them.
The findings are part of the 2017 Risk:Value report commissioned by NTT Security , the specialised security company of NTT Group, which looks at attitudes to risk and the value of information security to the business.
The survey of 1,350 non-IT business decision makers across 11 countries, 200 of which are from the UK, reveals that just 39 percent of UK respondents think the GDPR will apply to them, the lowest of all the European countries surveyed, including Germany/Austria, France, Sweden, Norway and Switzerland.
A further 20 percent in the UK say they don’t know, suggesting that 41 percent are in denial of their future obligations relating to GDPR, which comes into force on 25 May 2018 – leaving companies with less than a year to comply with strict new regulations around data privacy and security.
The picture outside of Europe is also a concern, given that the legislation applies to any organisation anywhere in the world holding or collecting data on citizens in Europe and could result in penalties of up to €20m or 4 percent of annual turnover, whichever is higher. Just 25 percent of respondents in the US believe it applies to them (20 percent don’t know) and 26 percent in Australia say they are subject to the new rules (19 percent don’t know).
However, respondents in Germany/Austria (53 percent) and Switzerland (58 percent) seem to be well informed about the forthcoming legislation.
With data management and storage a key component of GDPR, the report raises serious concerns about knowledge of what data is being stored securely and where. Just four in 10 (41 percent) UK respondents believe that all of their organisation’s data is secure, while around half (55 percent) say that all of their company’s critical data is secure.
However, UK decision makers are much less well informed than their counterparts in other countries about where their data is physically stored, with a little over half (57 percent) admitting they know – compared to a global average of 67 percent. Only France is lower, with just 54 percent of respondents knowing where their company data is stored.
Asked if emerging new regulations will impact on where and how their organisation’s data is stored, 42 percent of respondents in the UK say ‘definitely’, 31 percent ‘think so’ and nearly one in five (18 percent) say ‘no’, which is double the global average of 9 percent, and the highest number of all of the countries surveyed.
Additional UK figures:
• UK respondents estimate, on average, that it would cost £1.1m ($1.4m) to recover from a data breach – above the global average of £1m ($1.3m).
• The estimated percentage drop in company revenue in the UK is 9.45 percent. Globally it is down from 12.51 percent in 2015 to 9.95 percent in 2017, on average.
• UK respondents estimate it would take 80 days to recover from a breach (74 days globally) on average.
• Around two-thirds (64 percent) cite loss of customer confidence, damage to reputation (67 percent) and financial loss (44 percent) following a breach, while 10 percent expect staff losses and 9 percent say that senior executives would resign.
• 63 percent in the UK ‘agree’ that a breach is inevitable at some point, compared to an average of 57 percent globally.
• 59 percent ‘agree’ they are kept fully up to date by their IT security team about attacks and potential threats to the security of the organisation (compared to an average of 67 percent globally).
• Less than half in the UK (47 percent) report that preventing a security attack is a regular boardroom agenda item, suggesting that more needs to be done for it to be taken seriously at a boardroom level.
• 72 percent of UK respondents say their organisation has a formal information security policy in place, compared to the global average of 56 percent. While 83 percent say it has been actively communicated internally, less than a third (31 percent) say employees are fully aware of the company’s security policy.
• Nearly two-thirds (65 percent) of UK respondents say their organisation has an incident response plan, well above the global average of 48 percent. But, just 44 percent are fully aware of what the incident response plan includes.