Monday, October 2, 2023

GDPR: Confusion in boardrooms about what constitutes ‘personal Information’

As companies pick on what their strategies will be, with GDPR just 9 months off, it would be reasonable to presume boardrooms across the UK would be full of chatter.

Well that might not be the case, according to a poll by Trend Micro and Opinium of 1,130 IT decision makers operating at C-level or middle to senior management level, from large businesses (500 plus employees) from 11 nations such as the US, UK, France and Germany.

While 88% of the British company leaders are confident that their data is secure as possible (over the worldwide average of 79%), there’s still some confusion regarding what the new regulations entail.

79% of respondents weren’t aware that dates of birth have been classed as personal data under GDPR, compared to 64 percent of foreign companies. 56% said that they do not think that email marketing databases do not count (they most certainly do!) , in contrast to 42 percent of the global peers.

Firms that do not protect this information in the right manner open their clients to potential hacking, but may also face hefty fines. 73 percent of UK respondents didn’t know the fines are, and it is a involving two — 4% of global turnover.

“The absence of knowledge demonstrated in this research by businesses surrounding GDPR is astounding. Birth dates, email addresses, marketing databases and postal addresses are critical customer information, and it is about that so many British businesses — despite their assurance — are unaware of that,” Rik Ferguson, VP Security Research in Trend Micro commented.

Moving towards disaster?

The question of who is accountable for any loss of EU information is an significant part the regulation that UK businesses seem to be missing. The obligation falls upon both parties in case EU data is lost by a US service provider. Just 11% of UK respondents knew that this, with 63% wrongly thinking that the fine could go to the EU information owner.

Just 19% of UK respondents have a C-level executive engaged in the GDPR management procedure, with 61% leaving the problem for their IT teams.

“If businesses do not take the regulation seriously, they might be subject to a good that is a significant part of international earnings. The job for the C-Suite now would be to see GDPR as a business issue rather than a safety dilemma, until it gets to this stage,” Ferguson continued.

“Preparing for GDPR is a huge task, from investing in state of the art technology, to implementing data protection and telling policies. However, this preparation will be redundant if companies don’t understand to, and which parties are in charge. There’s an industry-wide schooling gap here, and it ought to be dealt with.”