A new report from Trend Micro has revealed that the boards of UK companies are not treating the new European Union General Data Protection Regulations with the seriousness that they deserve. This has resulted in an overconfidence when it comes to GDPR compliance.

The report by Trend Micro was done in conjunction with Opinium between 22 May and 28 June 2017, interviewing 1132 business leaders. Respondents to the survey held either C-Level, senior management or middle management decisions, and work in organisations operating in multiple sectors, including retail, financial services, public sector, media and construction.

Takeaways from the report include:

  • There is a very good general awareness about the new General Data Protection Regulations, with every one of the UK business leaders knowing that the GDPR exists and needs to be complied with when it comes into force.
  • 88% of British businesses leaders have seen the GDPR regulations.
  • 88% of British businesses expressed confidence that their data is as secure as it can be, which is nine per cent more than the global average.
  • There is some confusion over what actually constitutes personal data, with 79% of those UK business leaders being unaware that a customer’s date of birth is classed under GDPR as personal data.

“The lack of knowledge demonstrated in this research by enterprises surrounding GDPR is astounding. Birth dates, email addresses, marketing databases and postal addresses are all critical customer information, and it’s concerning that so many British businesses – despite their confidence – are unaware of that,” Rik Ferguson, VP Security Research at Trend Micro commented. “If businesses aren’t protecting this data, they aren’t respecting the impending regulation – or their customers – and they definitely aren’t ready for GDPR.

“With just nine months to go before it comes into force, GDPR should be the biggest boardroom issue of the moment. But the findings suggest it’s the elephant in the British boardroom. If organisations don’t take the regulation seriously, they could be subject to a fine that’s a significant portion of global revenue. The task for the C-Suite now is to see GDPR as a business issue rather than a security issue, before it gets to that stage.” Ferguson continued. “Preparing for GDPR is a tremendous task, from investing in state of the art technologies, to implementing data protection and notification policies. But this preparation will be redundant if businesses don’t understand what data this applies to, and which parties are responsible. There’s an industry-wide education gap here, and it needs to be addressed.”

The findings are particularly concerning now that there is less than one year from the new European Union General Data Protection Regulations coming into force on May 25 2018.