Businesses have not yet been cowed into full compliance with the General Data Protection Regulation (GDPR), according to GDPR Compliance—Where Are We Now?, a survey commissioned by Egress Software Technologies Ltd. and conducted by OnePoll.
While 96% of UK firms have invested in processes for handling GDPR and data, only 48% are in full compliance, meaning that 52% are not.
Moreover, 35% are now less interested in GDPR, as are 27% who said they took it seriously at the outset. That number is 35% of retail companies and 32% of IT providers.
And a few that saw their interest diminish were shocked back into awareness by the ICO announcement of fines against British Airways and Marriott.
Many companies could find themselves in similar straits. Of the GDPR decision-makers polled, 37% say they had to report a data breach incident in the last 12 months. Of these, 17% had reported more than one episode.
“Evidence suggests that, when the ICO investigates these incidents, a high percentage of organizations will be found wanting,” the study says.
Email played a role in 18% of the breaches, with these failures resulting from mistakes such as sending an email to the wrong recipient or not using BCC.
Another 40% of the attacks resulted from incorrect disclosure, 20% from employees sending wrong data to the recipient, 5% from phishing attacks and 14% from other causes.
Of the large companies surveyed, 10% reported a single breach and 13% reported more than one. Mid-size outfits were more likely to be hit, with 30% reporting one breach and 23% reporting more than that.
Information technology companies were the most popular targets, with 47% reporting one or more episodes. And 29% of engineering and manufacturing firms were hit.
On the positive side, 42% are part of the way to full GDPR compliance, and 8% are part of the way there. Only 2% are totally non-compliant.
In addition, 70% overall say they feel “positively” about protecting data. And 62% have made GDPR a top priority in the last 12 months -- a percentage that hits 81 in the banking and insurance sector and 71% for firms with 1,000 employees or more.
Oddly, the highest rate of compliance is among firms with 10 to 51 employees. Businesses with 1000 or more are a little less so.
The biggest area of GDPR investment for 28% is processes for the handling of sensitive data. The number rises to 30% for mid-size firms and 32% for large ones.
But 26% have invested most in better auditing of the data they collect (an outlay reported by 29% of engineering and manufacturing firms), 22% in new process implementation and 20% in hiring a data protection officer.
OnePoll surveyed 250 GDPR decision makers for Egress.