Egress – which polled 250 decision makers, split a third each way between small businesses, medium-sized businesses, and large enterprises – reported that only 48% were fully compliant, and 42% “mostly” compliant.
If other, similar reports are accurate, this could suggest that non-compliance with GDPR is not only more widespread than thought, but in some cases, levels of compliance are being obfuscated by security professionals. In July 2019, two separate surveys – one by audit and tax consultancy RSM and the other by data virtualisation firm Delphix – found that 30% of European businesses were not confident they were compliant, and that some businesses were giving their leadership cause to believe they were compliant when this was not necessarily true.
Over a third of respondents to Egress’ survey also said that GDPR had become “less of a priority” for them in the past 12 months. Most of them said the majority of their compliance activity had taken place in the lead up to the May 2018 deadline and thereafter had dropped off the priority list.
This was in spite of the first big fines being handed down by the Information Commissioner’s Office (ICO) against British Airways and Marriott. Only 6% said these high-profile incidents had shocked them back towards greater awareness. “We now appear to be seeing an ‘almost compliant is close enough’ attitude towards GDPR, with a significant percentage of decision-makers indicating that focus has waned in the past 12 months,” said Tony Pepper, CEO of Egress.
“The wait of more than year between implementation and the first action taken by the ICO under GDPR seemed to lead to a perception outside the security industry that the regulation was ‘all bark and no bite’.
“Although the authority’s announcement that it intends to fine British Airways and Marriott such staggering sums sent shockwaves through the security community, it is concerning that only 6% of organisations have taken action to avoid the full potential of the legislation.”
Where investment in GDPR compliance was taking place, Egress revealed that the greatest area of investment in the past 12 months was around the implementation of new processes to govern the handling of sensitive data, but even then this was only cited by 28% of respondents.