Nearly 18 months after GDPR came into force, over half of UK firms have admitted they have yet to become fully compliant with the regulation, with a new “almost is close enough” attitude emerging as business priorities shift.
Even the proposed fines against British Airways and Marriott International – totalling £282m – have not been enough to get businesses over the line, according to a new study by Egress, with just 6% saying these high-profile incidents had forced them into action.
The study, which quizzed 250 decision makers, split equally between small firms, medium-sized businesses and large organisations – reported that only 48% were fully compliant.
The greatest level of investment in the past 12 months has been made on implementing new processes to govern the handling of sensitive data (cited by 28% of respondents), followed by the auditing of what data is collected and why (18%), hiring data protection officers (18%), implementing new cybersecurity technology (17%), and GDPR training (just 7%).
However, over a third of respondents said that the regulation – implemented into British law through the UK Data Protection Act 2018 – had become “less of a priority” for them in the past 12 months. Most said the majority of their compliance activity was carried out in the run-up to the May 25 2018 D-Day and had dropped ever since.
Despite this, a third of respondents said they had reported at least one GDPR breach to the ICO in the past 12 months.
Egress CEO Tony Pepper said: “We now appear to be seeing an ‘almost compliant is close enough’ attitude towards GDPR, with decision-makers indicating that focus has waned in the past 12 months. Clearly strategies need to shift if we are going to turn the tide against data breaches.
“The wait of more than year between implementation and the first action taken by the ICO under GDPR seemed to lead to a perception outside the security industry that the regulation was ‘all bark and no bite’.
“Although the authority’s announcement that it intends to fine BA and Marriott such staggering sums sent shockwaves through the security community, it is concerning that only 6% of organisations have taken action since then.”
However, GDPR compliance might just have hit its limit. In the run-up to May 25 last year, an Experian survey revealed that nearly half of all companies were not even in shape for the UK Data Protection Act 1998, nearly 20 years after it was implemented.
Verizon faces GDPR probe as WhatsApp decision looms
Now Marriott takes a £99m battering for GDPR failings
BA faces record £183m GDPR fine for data meltdown
Denham under fire over ‘unchallenged’ Facebook fine
Irish data regulator launches inquiry into adtech giant
Irish confirm seven GDPR probes as Facebook turns 15
Half of all firms still not compliant with 1998 data laws