Despite GDPR having been enacted over 15 months ago, over half of UK organizations are still not compliant with the General Data Protection Regulation (GDPR).
The report released by Egress, GDPR Compliance: where are we now?, polled 250 GDPR decision-makers and found that 52% were not fully compliant with the new regulation. Even worse, 35% of respondents claimed compliance with the EU-wide data protection regulation had actually dropped down on the priority list over the past year.
Over 40% of respondents rated their organization as "mostly compliant", however, it is unclear which policies were lacking in these firms. This is alarming because GDPR is not a simple exercise and it only takes one small oversight to lead to a potentially serious security incident.
Over a third (37%) of respondents reported at least one security incident to the ICO within the last 12 months. A figure that's not very surprising given that 60% of security-related incidents reported to the ICO in the first half of 2019 were due to human error. People are always going to make mistakes and with the potential for insider threats, organizations must take the steps to become GDPR compliant.
The report also found that 53% of medium-sized companies, 36% of small companies, and 23% of enterprise organizations reported security breaches to the ICO within the last 12 months. Medium-sized companies were also found to be the most exposed to cyber incidents and also the most alert to respond to a cyber incident.
Many have speculated that the wait of more than a year from implementation to the first action taken by the ICO under GDPR may have created the perception that the regulation was 'all talk no action', but the stiff fines issued by the ICO to Marriot and British Airways just recently should serve as warning to those not taking GDPR as seriously as they should.