Cyber

Data protection query

by Mark Rowe

Most UK adults have never heard of the EU General Data Protection Regulation (GDPR). That’s according to a survey by a cloud security company, of 2000 British adults on understanding of the GDPR among adults of working age, and the extent to which employers have already informed staff about the regulation. The survey also asked respondents to state the maximum fine possible under the GDPR.

Asked the question by Netskope of whether they were aware of the GDPR, fewer than one in 10 respondents (9.6 per cent) claimed to have a detailed knowledge of the regulation, with six in 10 (62.9 per cent) saying they had never heard of it. A further 14.1 per cent had heard of the regulation but did not know what it was. 13.4 per cent said they had some general understanding of the GDPR.

When asked if their employer had informed them about the GDPR and its effect on working processes, seven in 10 employees (70.4 per cent) said that they hadn’t been told anything about the GDPR yet by their employers. A further 8.6 per cent said it had been mentioned but that they were unsure of the details of the regulation, and only one in five (21.0 per cent) said they’d been offered “plenty” of information about the GDPR.

Finally, when asked to state the maximum fine possible for a company found to have breached the regulation and infringed upon data subjects’ rights in the process, 1 per cent of respondents were able to accurately pinpoint the correct maximum fine – 20 million euros or 4 per cent of annual worldwide turnover (whichever is larger). One in five UK office workers (21.4 per cent) thought the maximum fine would be between 1 and 1000 euros – underestimating the sum by a factor of 20,000. One in ten (9.6 per cent) thought the maximum fine was one million euros – a sum representing a mere 5 per cent of the maximum fine under the GDPR.

In 2016, TalkTalk was issued with a £400,000 fine by the UK data protection regulator the ICO for security failings that allowed a cyber attacker to access customer data “with ease”. Even if translated into a lower tier GDPR fine (the higher of 2pc of annual worldwide turnover or ten million euros), this fine would have increased to £3,676,000 – demonstrating the extent of the financial incentive for businesses to tackle GDPR compliance.

Comment

André Stewart, VP EMEA, Netskope, said: “These findings show that organisations have a lot of work to do in order to educate employees on the GDPR and the safe data handling behaviour needed to achieve compliance. With seven in 10 UK adults yet to be educated about the GDPR by their employers, it’s possible that many employers are either unaware of the importance of coaching staff or they are not yet making the GDPR a high priority. Unfortunately, both approaches are misguided and leave companies open to GDPR compliance breaches – and massive potential fines as a result.

“If employees haven’t been taught what security best practice looks like, they can’t do their everyday jobs securely and that presents a major risk to the organisation. Employers will need to show that they have trained their employees on the GDPR to achieve compliance. The amount of effort put into coaching employees on secure data handling is likely to be one of the questions regulators ask when deciding whether to penalise organisations. This means that coaching is essential to limit the risk of a breach in the first place, and then again to limit the extent of any potential penalty. Alongside coaching, employees will also need the tools to do their jobs securely without sacrificing ease and convenience, so ensuring the secure use of cloud services will be a fundamental piece of the compliance puzzle.”

About the research

This research was via Google Surveys whereby 2,000 UK based respondents, aged 18 to 64, were surveyed in December 2016.

Related News

  • Cyber

    A people-first approach

    by Mark Rowe

    A people-first approach to tackle cybersecurity is the call from SASIG, The Security Awareness Special Interest Group. The group points to the…

  • Cyber

    Cyber and IoT

    by Mark Rowe

    Connecting “things” to the internet can date back to the birth of the internet in 1989, with the first internet connected device…

  • Cyber

    Profile of a hacker in 2017

    by Mark Rowe

    David Emm, pictured, principal security researcher at Kaspersky Lab, looks at what are the cyber threats in 2017. The starting-point for understanding…

Newsletter

Subscribe to our weekly newsletter to stay on top of security news and events.

© 2024 Professional Security Magazine. All rights reserved.

Website by MSEC Marketing