Those who have used the second anniversary of GDPR to question its effectiveness might have to eat a large slice of humble pie following claims that nearly half of all UK companies have been reported to the Information Commissioner’s Office since the regulation came into force in May 2018.
According to a survey carried out by Apricorn, a quarter (25%) of IT decision makers said they had notified the ICO of a breach or potential breach within their organisation, while 21% have had a breach or potential breach reported by someone else; making a grand total of 46%.
The results would suggest there has been a huge spike in reports since January 2020, by which time 160,000 breach notifications had been made to data supervisory authorities in the European Economic Area (EEA), according to law firm DLA Piper.
Apricorn EMEA managing director Jon Fielding said: “The fact that so many businesses are now choosing to notify of a potential breach is positive, but likely precautionary to avoid falling foul of the requirements and any significant financial or reputational ramifications.”
However, the report claims that these concerns are being mitigated by an increase in encryption and endpoint control. Nearly all respondents (94%) say their organisation has a policy that requires encryption of all data held on removable media.
Of those with an information security strategy that covers employees’ use of their own IT equipment for mobile/remote working, 42% said they permitted only corporate IT provisioned/approved devices, and have strict security measures in place to enforce this with endpoint control. This has risen sharply over the past 12 months – from 12% – and highlights a positive shift in focus towards endpoint control, the report insists.
When questioned on whether they had seen an increase in the implementation of encryption in their organisation since GDPR was enforced, nearly four in ten (39%) have noticed a rise, and their organisation now requires all data to be encrypted as standard, whether it is at rest or in transit.
This would suggest fears of mass data breaches involving staff working from home are unfounded.
When asked about the impact of a data breach on their organisation, more than a third (35%) of respondents cited that damage to the brand and reputation of the business is their main concern. This was followed by concerns over financial costs for incident response and clean-up (28%), loss of customer trust (18%) and financial costs resulting from a fine (12%).
Fielding concluded: “It’s clear that GDPR is finally having some impact, but businesses need to recognise that compliance is ongoing and they should continue to enforce and update all policies.”
GDPR two years on: EU chiefs finally admit funding issue
Irish data regulator issues first GDPR ruling in two years
Fresh delay to Marriott and BA fines fuels ICO criticism
Now Germans call for GDPR shake-up to avoid ‘collapse’
Brussels urged to act on GDPR failings or risk demise
2019 Review of the Year: Why it’s crunch time for GDPR
GDPR one year on: Data is now a major boardroom issue