Only Two-Fifths of UK Firms Report Data Breaches On Time

Cyber Security News

It’s three years today since the GDPR was launched across Europe but UK businesses are still failing to meet some of its most basic reporting requirements, CrowdStrike has warned.

The security vendor polled a sample of 500 UK business decision makers between April 30 and May 10 to better understand uptake of the legislation, and the Data Protection Act 2018, which applies its principles in UK law.

Unfortunately, the poll found that just 42% of UK firms that have been breached report the incident to the regulator within 72 hours, as required by law.

The study found a general lack of awareness and visibility elsewhere: 67% of respondents said they consider themselves “prepared” should they become a breach victim, but only around a third (36%) have actually readied specific protocols to deal with the fallout of such an incident.

Over a fifth (22%) claimed they either don’t know or don’t think the GDPR applies to the UK following Brexit.

What’s more, two-thirds of businesses either don’t know (41%) or underestimated (25%) the maximum amount the Information Commissioner’s Office (ICO) can fine erring companies: 4% of global annual turnover or £17 million, whichever is higher.

Zeki Turedi, EMEA CTO at CrowdStrike, told Infosecurity that many organizations are struggling to understand what a data breach even is, and how much time they have to report it.

“For example, some companies are unaware that simply sending confidential information about an individual to an incorrect email address can trigger the need for a GDPR notification,” he argued.

“The CISO has a critical role to play here, not just in helping to protect the business in the first place, but also in ensuring the company understands its legal requirements when it comes to breaches and is in a position to meet them. The research underlines the continued need to educate organizations on the use of GDPR and how it impacts them.”

Alongside the CISO’s role here, the GDPR also mandates most large organizations appoint a Data Protection Office (DPO) to handle such issues.