Elephant in the Boardroom: UK Firms Lack GDPR Compliance Leadership

by Bharat Mistry

The EU General Data Protection Regulation (GDPR) is one of the most important and far-reaching pieces of legislation ever to come out of Brussels. That’s part of the reason so much has already been written about it. But before you reach GDPR-saturation point, consider new findings from a comprehensive new Trend Micro study which has revealed a worrying lack of leadership from senior executives when it comes to compliance efforts.

More concerning still, three-quarters (73%) of UK IT bosses we spoke to weren’t even aware of the potentially huge fines in store for non-compliance. With a 25 May 2018 deadline fast-approaching, time is running out.

False confidence
Trend Micro polled 1,000 IT leaders from across the globe to better understand GDPR awareness levels. At first sight, UK IT bosses appear pretty confident: all of those we surveyed said they are aware of the new regulation and 88% are sure that their data is as secure as it can possibly be – much higher than the global average of 79%.

However, things start to slide pretty quickly, with a large majority unaware of the massive fines of £17m (or 4% of global annual turnover) that regulators will be able to levy after May. In fact, a quarter even said that fines “wouldn’t bother them”. Awareness of a basic tenet of the law – what constitutes personal data – was similarly poor. More than half (56%) incorrectly said they wouldn’t class email marketing databases as personal data; a great deal more than the global average (42%). The figure fell to 29% for a postal address, and one in ten for a customer’s email address. In reality, all three are very much covered by the GDPR.

Part of the confusion still evident within many UK firms seems to lie with a lack of leadership at the very top. Nearly half of respondents thought that either the CEO (25%) or CISO (23%) should lead compliance efforts. Yet in reality, just a fifth (19%) have a C-level executive involved in the GDPR process and only a tenth have a board-level manager in charge. The IT department is still in charge in the majority (61%) of cases.

What to do next
There are many strands to the GDPR, making compliance a discipline which will require input from all over the organisation. From a strictly data protection standpoint, consider the following:

  • Form a privacy team comprising stakeholders from all relevant departments, including IT, HR, legal etc
  • Appoint a Data Protection Officer as soon as you’re able, to help co-ordinate efforts
  • Conduct an information audit to find out what data the organisation holds, where it flows to and what security controls are in place
  • Using the results of the audit, assess whether there are any compliance gaps that need addressing
  • Implement best practice security measures as recommended by the government
  • For any high-risk data projects, consider a Privacy Impact Assessment (PIA) to identify and reduce risk
  • Ensure you have the right processes in place to detect, report and investigate any breach of customer data

This year’s CLOUDSEC 2017 conference this week did much to help IT and business leaders navigate the choppy waters of GDPR compliance. Over 1,000 attendees flocked to the Park Plaza Westminster Bridge in the heart of London on Tuesday to hear a stellar line-up of speakers share their experiences and best-practice advice.

Internationally renowned privacy expert Stewart Room, Global Head of Data Protection & Cyber Security at PricewaterhouseCoopers Legal, shared his risk-based approach for GDPR compliance. And there were similarly inspirational presentations from Trend Micro’s VP of Security Research, Rik Ferguson; US Department of Homeland Security founding member, Gary Miliefsky; and Channel 4 News journalist, Geoff White – among many others.

We look forward to welcoming you all back next year for another compelling day of networking, insight and learning.


Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.