The updated EU General Data Protection Regulation (GDPR) legislation is coming in the next two years – but businesses are at risk of fines because of gaps in knowledge, according to new research from Trend Micro.
More than a quarter (26%) of companies don’t know how much time they have to become compliant, according to the report which surveyed 100 senior IT decision makers in the UK. Almost one in five (18%) are not currently aware that they face fines, while a third (32%) understand there are fines, but know no more than that. One in five UK IT decision makers are still unaware of the GDPR plans. 31% think their organisation has within six to 12 months to become compliant, while 11% believe they have two to three years.
Trend Micro admits the results portray a sense of confusion around the data protection regulations. The EU’s stance, as stated in a press release earlier this month, confirms that “member states will have two years to transpose the provisions of the directive into national law”. For the UK and Ireland, the directive’s provisions will apply only “to a limited extent”, while Denmark will decide within six months of adoption whether the directive will be implemented into its national law.
“As it often happens with regulation, it’s going to take a whipping boy to understand the gravity of the situation for most organisations,” said Rik Ferguson, Trend Micro global VP of security research. “One high-profile case of a company handing money over for non-compliance under GDPR will be the required wake-up call the rest of the industry needs to get their act together.”
Neil Thacker, information security and strategy officer EMEA at Forcepoint, wrote for this publication in February regarding best practice for implementing the new directives, including the right to be forgotten, and users’ rights to transfer their data to another service provider and learn when they have been hacked. Businesses should first identify where personal identifiable information (PII) resides, then move forward to detecting breaches.
Businesses can face fines of up to 4% of their annual turnover for non-compliance with the GDPR.