No clue how to process data lawfully, firms admit

Countless warnings about the GDPR still haven’t prompted businesses into action, as more than seven in 10 admit to not knowing the lawful basis for processing data.

An even bigger chunk (almost eight in ten) are yet to review their Data Protection policy and, if they currently outsource data, half don’t check the processes that it goes through.

“Businesses continue to be woefully underprepared, despite the numerous warnings issued, and have left themselves wide open to being in breach of the new [General Data Protection] Regulation,” warns cyber security firm ThinkMarble, which produced the findings.

“Too many see the new regulations as a compliance tick-box activity and a burden, when really it should be viewed as an investment into your business, your employees and your customers.”

Gerrish Legal, a specialist in GDPR-compliance, agrees that the May 25^th framework is an opportunity for IT contractors and other suppliers to ‘provide added value to clients.’

But many of the issues exist before ‘sub-processors’ (like IT contractors) come into the fold. For example, a quarter of businesses have ‘borrowed’ their DP policy from another firm.

About half as many are not registered with the Information Commissioner’s Office, even though the law requires them to because they process personal data, ThinkMarble also found.

And as well the 50% of the 250 businesses polled not checking their outsourcers’ data processes, the same ‘out of sight out of mind’ stance is taken when exporting information.

In fact, 67% of the businesses admitted that they do not make data security checks when sending data outside the European Economic Area.

The only vaguely positive finding is that the chunk of businesses yet to review their DP policy reduces slightly when asked if they reviewed because of the EU-based framework.

“For those companies that embrace the GDPR and review, update and maintain information cyber security best practices, they will become the future leaders of industry,” believes ThinkMarble founder Andy Miles.

But there’s a long way to go. Sixty-eight per cent don’t inform people what will be done with their data; 43% don’t tell people their data will be shared, 76% haven’t reviewed how they obtain consent and 78% don’t have policies to dispose of data.

“I expect that we will see future customers seeking reassurance on how their data is processed and managed,” Mr Miles said. “The[se] results highlight the extent to which UK business continue to remain unprepared for the General Data Protection Regulation.”