GDPR: Confusion in boardrooms about what constitutes ‘personal data’
With GDPR just 9 months away, it would be reasonable to assume that boardrooms across the UK would be filled with chatter as companies decide on what their strategies are going to be.
Well that may not be the case, according to a survey by Trend Micro and Opinium of 1,130 IT decision makers operating at C-level or middle to senior management level, from large businesses (500 plus employees) from 11 countries including the US, UK, France and Germany.
While 88% of the British business leaders are confident that their data is secure as possible (above the global average of 79%), there is still some confusion as to what exactly the new regulations entail.
79% of respondents were not aware that dates of birth are classed as personal data under GDPR, compared to 64% of overseas businesses. 56% said that they do not think that email marketing databases don’t count (they most certainly do!), compared to 42% of their international peers.
Businesses that do not protect this information in the correct manner not only open themselves and their customers to potential hacking, but could also face hefty fines under GDPR. 73% of UK respondents did not know how much the fines are, which is a between 2 – 4% of annual global turnover.
“The lack of knowledge demonstrated in this research by enterprises surrounding GDPR is astounding. Birth dates, email addresses, marketing databases and postal addresses are all critical customer information, and it’s concerning that so many British businesses – despite their confidence – are unaware of that,” Rik Ferguson, VP Security Research at Trend Micro commented.
Moving towards disaster?
The question of who is responsible for any loss of EU data is also an important part of the regulation that UK businesses seem to be missing. If a US service provider loses EU data, the responsibility falls on both parties. Only 11% of UK respondents knew this, with 63% incorrectly thinking that the fine would go to the EU data owner.
Only 19% of UK respondents have a C-level executive involved in the GDPR management process, with 61% leaving the issue to their IT teams.
“If organisations don’t take the regulation seriously, they could be subject to a fine that’s a significant portion of global revenue. The task for the C-Suite now is to see GDPR as a business issue rather than a security issue, before it gets to that stage,” Ferguson continued.
“Preparing for GDPR is a tremendous task, from investing in state of the art technologies, to implementing data protection and notification policies. But this preparation will be redundant if businesses don’t understand what data this applies to, and which parties are responsible. There’s an industry-wide education gap here, and it needs to be addressed.”