Research conducted at Infosecurity Europe 2016, Europe's number one information security event, has found that many IT professionals are still unaware of what the European Union (EU) General Data Protection Regulation (GDPR) means to their organisation. 20% of respondents were unaware that a data breach could lead to fines of up to ˆ20m or 4% of a business’ annual turnover. Over a quarter of the respondents (28%) did not know that a data breach should be reported within 72 hours under the new regulation.
iStorage, the trusted global leader of PIN protected, hardware encrypted data storage devices, carried out the survey during the course of the annual event in London. The survey gathered insight from a wide range of professionals including IT Managers, Chief Information Officers, IT Senior Executives, Chief Technical Officers, Company Directors and IT Consultants. It follows on from a previous iStorage survey last year revealing half of respondents did not understand what GDPR was; while there is greater understanding around GDPR, the details of it are unclear highlighting the need for further education.
“2016 is the year of data security, it is the topic on many organisations’ lips and rightly so. GDPR will enter into effect during May 2018, and although this may seem a long way off, this period should be utilised effectively as this is the minimal time that companies will need to come to terms with new data obligations,” states John Michael, CEO of iStorage. “We are discovering that some IT professionals are still unaware of the impact the regulation will have to their business and more worryingly, if it even applies to them!”
A vital area of importance within the regulation is the requirement for businesses to implement measures to provide appropriate protection for the personal data they hold. This means the pseudonymisation and encryption of personal data is essential. However, a quarter (25%) of all respondents surveyed were unaware that personal data must be encrypted in order to comply with the regulation. Another part of the new regulation is the requirement for a Data Protection Officer (DPO) within certain businesses. Although aware of this requirement, iStorage found that 60% of respondents did not know than a DPO was not required for organisations of under 250 employees.
John Michael continues, “It is important to get the message out there that GDPR is very much on the horizon and it is applicable to all organisations. Our survey shows that there is still confusion and a lack of understanding around the regulation, therefore rapid education is a must. All businesses will have to ensure personal information is protected by adequate security, therefore preventing any data breaches which can lead to hefty fines. Many security breaches occur from the theft or loss of portable storage devices; businesses should ensure that all portable media devices containing personal information are robustly encrypted to the highest standard.”