More than a year after the European Union enacted the General Data Protection Regulation (GDPR), half of businesses in the United Kingdom are still not fully compliant. Around 52% stand to incur big penalties from the Information Commissioner’s Office (ICO), in case they misuse personally identifiable information of EU residents.
New research shows focus on GDPR compliance is waning among British organizations more than a year after the new data protection law took effect. According to a survey conducted in July 2019 by independent research organization OnePoll on behalf of Egress, only 48% of decision-makers reported that their business was fully compliant, and 42% rated their organization as ‘mostly compliant.’ Implementing new processes around the handling of sensitive data has been the greatest area for compliance investment in the last 12 months, cited by 28% of those surveyed. However, 35% said GDPR has become less of a priority for their organization in the last 12 months.
Asked about their single greatest area of compliance investment, decision-makers reported:
- Implementing new processes around the handling of sensitive data (28%)
- Better auditing around what data we collect and for what reasons (18%)
- Employment of a Data Protection Officer or other additional compliance staff (18%)
- New technology (17%)
- Implementing new procedures around incident reporting (8%)
- End-user education and training (7%)
Despite investments towards compliance, 37% of respondents have reported at least one incident to the ICO in the last 12 months, while 17% have done so more than once, the report notes. And 60% of security-related personal data breach incidents in the first six months of 2019 were caused by human error, according to analysis of ICO data.
Some 53% of mid-size companies reported data breaches to the ICO in the past 12 months, compared with 36% of small companies and only 23% of enterprise organizations. Around 40% of mid-sized companies reported full GDPR compliance, compared with 56% of large and 51% of small companies, researchers also noted.
“Taken together, these figures indicate an evident gap in compliance performance among mid-size companies,” according to the report.
The research shows that, since the rush to meet the May 2018 deadline, companies targeted by the regulation are adopting an “almost compliant is close enough” attitude towards GDPR.