Six in 10 US employees clueless about GDPR – survey

Just months before the EU General Data Protection Regulation takes effect globally, more than half of US-based employees in various industries have never heard of the upcoming regulation, according to a survey by adaptive training experts at MediaPro.

In October of last year, MediaPro surveyed 1,007 US employed residents 18 years or older about best practices and regulations regarding data protection, both global and national. The company offered five real-life scenarios that dealt with different aspects of data privacy / protection knowledge or a best practice.

One of the most striking results was that, five months ahead of the EU GDPR implementation, 59% of respondents said the GDPR was "completely new" to them.

The GDPR applies to all organizations that process personally identifiable information (PII) of EU residents. And that includes most global companies. The penalty for noncompliance, depending on the situation, ranges from a percentage of the business’s annual turnover to 20 million Euros (US $27 million).

The upcoming regulation mainly addresses big entities / organizations – not individual workers at those organizations – but the text clearly indicates that employees in many departments shoulder compliance responsibilities with upper management.

A good example is the Human Resources department, which most global businesses rely on to source, or in some cases outsource, acumen and manpower.

HR Tech Weekly, a digital digest-aggregator with a focus on Human Resources, appropriately points out that HR employees will soon be on the front line of GDPR compliance in most businesses:

“As custodians of employee information, they’ll be the ones who will need to audit existing processes; validate their own security and that of third parties that they share HR information with such as HR software and payroll providers; take on at least some of the responsibility for compliance training and monitoring and equip themselves to report any data breaches involving employee data, as well as respond to ‘subject access requests’ from employees.”

The MediaPro survey further uncovered that 8% of respondents were unsure if they should report a cybercriminal stealing sensitive client data while at work. And finance staffers did not consider tax information as extremely sensitive. Workers in the education and healthcare segments (actual numbers not given in the press release) were inclined to believe the same.

Finally, and perhaps more worryingly, respondents in the technology sector demonstrated “the least ability to correctly identify scenarios that could put private data at risk.”

This tidbit somewhat contradicts another finding in the survey: that employees in the technology sector were also the most familiar with the GDPR. Full findings are disclosed in the 2018 Eye on Privacy Report (subscription required).