Over Half of UK Firms Still Not GDPR Compliant

Over half of UK businesses aren’t compliant with the GDPR more than 15 months after its introduction, despite many reporting data security incidents to the ICO, according to new research from Egress.

The security vendor polled 250 “GDPR decision-makers” from companies of all sizes and sectors to compile its new report, GDPR compliance: where are we now?

Some 52% said they were not fully compliant with the EU-wide data protection regulation, with over a third (35%) claiming compliance had dropped down the priority list over the past year. That’s concerning given that GDPR compliance cannot be achieved via a one-off tick box exercise but requires continual attention.

Just 6% said the recent ICO fines issued to BA and Marriott raised the profile of GDPR again within the business.

Although 42% of respondents rated their firm as “mostly compliant,” it’s unclear which elements were still lacking. Data breach threats can come from anywhere and it only takes a small oversight for a potentially serious incident to occur.

Bearing this out, over a third of respondents (37%) reported at least one incident to the ICO in the past 12 months. According to Egress-obtained FOI information, 60% of security-related personal data breach incidents reported to the watchdog in the first six months of 2019 were caused by human error.

Mid-sized companies are either most exposed to data security incidents or most alert to respond, the findings seem to indicate.

Over half (53%) of mid-size companies (250-999 employees) reported data breaches to the ICO in the past 12 months, compared with 36% of small companies (1-249 staff) and only 23% of enterprises (1000+ employees), according firms still compliant