- Security TWENTY
- Women in Security
With days to go until the GDPR begins on May 25, about one in five (22 percent) of small business owners are totally unaware of the General Data Protection Regulation, according to the first data released from Shred-it’s eighth annual Security Tracker research, by polling firm Ipsos.
A quantitative online survey was of two distinct sample groups – 1,000 Small Business Owners (SMO) in the United Kingdom, all of which have fewer than 100 employees, and over 100 C-Suite Executives in the UK within businesses of over 250 employees.
The research shows a disparity in terms of preparedness and focus based on the size of businesses. Near all, 97 percent of C-suite executives at large companies have at least a basic understanding of GDPR, compared to 78 percent of small business owners. Forty-seven percent of the top brass at larger firms are confident of having detailed knowledge. That figure for small businesses is just 10 percent.
According to the study, London-based businesses are also much more aware than those in other regions, with just 12 percent stating that they were not at all familiar with GDPR, compared with much higher figures in the Midlands (30 percent), the North (23 percent), Scotland (20 percent) and Wales (17 percent). Small business owners are more complacent and are typically underestimating the scale of the task-at-hand: less than a third (30 percent) acknowledge that they will face a challenge becoming compliant with GDPR by the deadline, compared to 64 percent of C-suite executives.
Neil Percy – Vice President Market Development and Integration EMEA, Shred-it said: “In the lead up to May 25 and beyond, it’s crucial that organisations of all sizes begin to take a proactive approach in preparing for GDPR. To see so few firms aware of the regulations right on the eve of enforcement beginning is alarming to say the least.
“Companies need to audit their current data flows and assess where confidential information may be at risk, either in digital or physical form, and take steps to restrict accessibility and delete or, if in physical format, securely destroy it when necessary. All too often organisations place themselves at risk of breach by not connecting the need to protect physical confidential material with the same level of security applied to the same data held electronically. GDPR will view a breach of data equally regardless of electronic or physical in format.”
The new privacy legislation adopted across the European Union affects any business, anywhere, that controls or processes the personal information of EU citizens. It includes new penalties for companies that are not compliant – potentially fines of up to four percent of annual revenue. At the heart of the GDPR are requirements to protect people’s personal information meaning a greater focus on encrypting digital information, safer practices in handling sensitive hard copy documents, and establishing policies around the storage and deletion of both.
It is not just GDPR where an awareness gap is apparent, the firm suggests. Fifteen percent of small business owners admit they do not understand the legal requirements for handling confidential information in their industry more generally. Less than half (44 percent) claim to have a strong understanding. 42 percent of small businesses do not have, or are unsure if they have, a policy for employees on handling confidential documents. Ninety-five percent of larger firms have a policy, however a quarter of leaders (24 percent) admit that not all employees are aware of it.
As well as documenting the gap in understanding, the research also looks at practices that will put organisations in breach of GDPR requirements. Businesses of all sizes undergo security scares that could prompt the ICO to investigate them on GDPR grounds -11 percent of companies have had employees lose a company mobile phone, nine percent report employees losing company laptops and eight percent have lost paper documents with sensitive company info.
Large companies are more likely to have a policy or process in place that requires employees to report an information security issue: 85 percent of C-Suites vs. 40 percent of small business owners. 35 percent of small businesses do not have any policy in place on disposing of paper documents and 42 percent don’t have one relating to disposing of end of life electronic devices
Neil Percy added: “Incidents like losing a laptop or mobile phone if not effectively password protected or insecurely disposing of a printed document confidential in content when working outside of the office, may have much bigger consequences for businesses under GDPR. You may need to report those kinds of losses to the Information Commissioner’s Office, and it is possible that they will then look at the policies and processes you have in place and how well understood and followed they are by employees.”