Data breaches prompt UK businesses to re-think data protection strategy

Trend Micro research finds majority of organisations lack customer notification processes required under impending EU Data Protection Regulation.

  • Wednesday, 20th August 2014 Posted 10 years ago in by Phil Alsop

Almost three quarters (68%) of UK organisations have been prompted to re-think their data protection strategy in light of recent high-profile data breaches suffered by the likes of eBay, Kickstarter, and Adobe, according to research from Trend Micro Incorporated.


Although worryingly, 24 per cent said that they hadn’t reconsidered their data protection strategy in the wake of those attacks. The second instalment of Trend Micro’s EU Data Protection Regulation report, which surveyed 850 senior IT decision makers across Europe, finds that over a third of UK respondents say that the biggest threat to their organisation’s data comes from accidental loss by employees (36%) and cyber criminals (29%).


The EU Data Protection Regulation is a set of legislation that aims to comprehensively reform data protection, strengthen online privacy rights and boost Europe’s digital economy. If the regulations are broken, fines could be as high as €100million or 5 per cent of global revenue.


“That businesses are being prompted by news coverage of big breaches suggests that the current penalties aren’t doing their job,” says Rik Ferguson, Vice President Security Research at Trend Micro. “Driving change is what the fines are meant to do: the financial incentives aren’t big enough at the moment.


“However, it’s not just the fine that a business has to pay, it’s also a big hit to their reputation. That means businesses should not be complacent about their existing security provision, the new EU data framework could mean fines of up to 5 per cent of global turnover, a level that pushes the potential costs of a data breach firmly into the C-suite’s territory,” added Ferguson.


In an effort to protect themselves against these threats, the majority of UK organisations have increased staff awareness (72%) about data security or implemented encrypted passwords (60%). Around half have implemented remote wipe technology for lost devices (47%) while a third (32%) have implemented advanced technologies to identify intruders on the network that might steal data.


Handling of customer data
One in three (37%) UK businesses are seeing customers demand more transparency with regard to how much of their personal data is being kept and where. Yet, a third (32%) do not have a formal process in place to notify customers in the event of a data breach and only 26 per cent have a formal process and always notify their customers.


In the UK, 13 per cent of businesses reported that their customers never demanded transparency about how their personal data is kept. “That is set to change,” said Ferguson: “We’re going to see a lot more customers invoking the right to be forgotten. Customers will be asking ‘Do organisations even know where my data is? Do they know how to delete it? If a company like Google is struggling, imagine what it’s going to be like for mere mortals.”


“The impending EU General Data Protection Regulation stipulates that customers must be notified of a data breach without undue delay and the applicable regulator to be notified within a timescale that may be as short as 24 hours. The majority of UK organisations don’t have this capability and this is a perfect example of how organisations will need to upscale their readiness against tough new standards,” said Vinod Bange, partner at Taylor Wessing.


“The European Court of Justice ruling earlier this year provided that European citizens can ask search engines to remove particular links from online search results, and also established that EU data laws apply in a context that was not previously envisaged, so organisations need to ensure that they have processes in place to address compliance with EU data laws which they may have previously considered as not applicable to them.”


Lack of support
Most British businesses are confident that their organisation is as secure as it can be against a data breach: 69 per cent said they were either very confident (13%) or somewhat confident (56%) that that is the case.


However, there is a lack of support for the upcoming EU General Data Protection Regulation, with fewer than one in five (18%) of UK organisations feeling that it will prevent organisations from losing or illegally collecting data about European citizens – the lowest figure of all the EU countries polled.


Over three quarters (78%) surveyed UK IT decision-makers believe that the European Commission could consult businesses more, or does not consult them enough before setting data protection regulations. Less than half (41%) of respondents believe that a new EU General Data Protection Regulation is even required to improve data protection, compared to 81 per cent in Italy.


“Awareness is growing among companies that the new EU data legislation will have a significant impact on their businesses, but there is still some way to go,” said Ferguson. “It’s frightening considering how close it is and how little some organisations know.


“Large enterprises are aware they have to be compliant, but smaller organisations don’t have the right people looking at it. Ultimately it’s the government’s responsibility to make sure that business is aware of what this means, but whether that’s the UK government or EU government is a key question.”