GDPR preparation low among Irish organisations
20 January 2017 | 0
Less than half of Irish organisations have begun preparation for the looming General Data Protection Regulation (GDPR), with less than on in five regarding themselves as well prepared.
These are some of the key findings of a survey of more than 200 Irish IT professionals by the Irish Computer Society and the association of data protection officers.
Only 44% of survey respondents said they had already begun preparation for GDPR, which will come into effect May of 2018, along with the Network and Information Security (NIS) directive.
Of those who said preparations were underway, only 13% said they were very prepared, with 45% saying they were somewhat prepared.
Among the chief concerns of organisations over the GDPR, top of the list were the stiffer penalties that can be imposed, such as fines up to €20 million or 4% of global turn-over. This was followed by new accountability requirements, data gathering consent requirements and additional data controller requirements.
In this context, most Irish organisations (70%) have taken steps to address the threat of an external data breach, though this is down from nearly three quarters (73%) in 2016 and three quarters in (2015).
This tallies with the perceived threats among organisations, as some 43% said that the greatest threat to an organisation’s data assets was from external attackers, which was up from 39% in 2016, and 33% in 2015. The next greatest threat was from negligent employees (36%), followed by end user devices with sensitive data.
The survey respondents were optimistic regarding end user awareness of security and data policies. The respondents felt that awareness was greatest for information security policies (82%), followed by data retention/destruction policies (70%) and data breach policies (64%). Furthermore, respondents expressed confidence that employees understood information security policies (53%), data breach policies (47%) and data retention and destruction policies (43%).
In terms of improving awareness and understanding among end users, formal training and awareness programmes are still seen as the most effective means of educating end users (57%), a measure that was static from previous year.
The reality of data breaches was that almost two thirds (61%) of respondents reported having a breach within the last 12 months, though more than half of these were caused by staff members. The number of breaches by external attackers has also steadily increased in recent years, the survey found, with 15% 2016 increasing to 22% this year. Of those who had experienced a breach, more than a quarter (28%) reported more than one incident.
“There is definitely a pattern emerging,” said Lanre Oluwatona, data protection officer, Irish Computer Society. “Looking through previous years, we can see a steady increase in the number of data breaches, and our level of training and awareness is to some extent reset to zero following the new regulations.”
“Keeping up with the legislation, as well as the increasing incidence of external data breach attacks, are forcing organisations to re-train their staff, refresh their policies and refortify their IT defences,” said Oluwatona.