Less than two in five sure they are prepared for GDPR
8 February 2018 | 0
The results of this year’s National Data Protection Survey show both progress and causes for concern for data protection in Ireland. Presented at the National Data Protection Conference in Croke Park on 25 January, the study compiled by the Irish Computer Society and the Association of Data Protection Officers, has measured Irish data protection trends for more than five years.
Concern about the ability to identify the location of sensitive data has increased to 34% from 27% last year, while negligent employees are still perceived as the greatest threat. These results illustrate the importance of not leaving responsibility for data protection at the door of IT or your organisation’s Data Protection Officer.
Less than 2 in 5 participants are sure their organisation is prepared for GDPR. Given that we are little over 3 months away from GDPR enforcement this will be concerning to the ODPC. In a similar study from ISME, also released in January 2018, only 7% of small businesses said they had completed their GDPR plan.
According to the ICS/ADPO study a perception that staff are not always aware of the importance of data protection procedures still remains. Similarly the ISME study said that while 83% of respondents are aware of GDPR, 70% have not identified the steps/actions their business needs to take.
Some 45% of ICS respondents said they had insufficient or no data protection training. The results also reveal a perception that some data protection training provided by employers may be lagging behind in areas not related to GDPR – only 38% felt they were fully up to date.
Numbers of organisations experiencing data breaches remain largely consistent with the previous three years. Data breaches were reported as typically caused by staff members (54%) but incidents of malicious external attacks increased from 15% to 22%. The good news is 86% are confident that organisations will learn from previous breaches.
One in three believe the risk of an external data breach has increased in the past year but three quarters of companies have taken measures to address external data breach risks. Upgrading security infrastructure is still the most common measure to address this risk closely followed by IT security auditing and greater provisions for staff training.
An increase in organisations with formal overseas transfer policies is consistent with the demise of Safe Harbour and the new demands of GDPR but 1 in 5 believe overseas transfer policies are rarely if ever implemented by employees. Given the potential impact of Brexit and internationally hosted cloud-based data centres, overseas transfers may be a banana skin once the GDPR panic is over.
Almost half of organisations have conducted a Privacy Risk Impact Assessment (PRIA) – up considerably on the reported 34% last year. However, 99% of respondents felt PRIAs were important so there is a large gap between those who feel they are important and the number of PRIAs actually undertaken.
Opinion is spreading around Subject Access Requests as 62% now believe that GDPR will make processing them more onerous in future, compared with only 46% in 2016.
The full results of the survey along with all the presentations from the National Data Protection conference is available at www.dpo.ie
Irish Computer Society