The latest enterprise risk management news from around the world

More than half of UK businesses are taking GDPR compliance risks

A survey of UK GDPR decision-makers conducted on behalf of Egress, has found that 52 percent of businesses are not fully compliant with the regulation, more than a year after its implementation. The survey also found that 37 percent of respondents had reported an incident to the ICO in the past 12 months, with 17 percent having done so more than once. Interestingly, the results showed that over half (53 percent) of mid-size companies had reported data breaches to the ICO in the past 12 months, compared with 36 percent of small companies and only 23 percent of enterprise organizations. Similarly, a notably lower percentage (39.5 percent) of mid-sized companies reported full GDPR compliance compared with 56 percent of large and 51 percent of small companies. Taken together, these figures indicate an evident gap in compliance performance among mid-size companies.

Other key survey findings include:

  • Only half of decision-makers (48 percent) reported that their business was fully compliant
  • 42 percent rated their organization as ‘mostly compliant’
  • Over one-third (35 percent) said GDPR has become less of a priority for their organization in the last 12 months
  • Implementing new processes around the handling of sensitive data has been the greatest area for compliance investment in the last 12 months, cited by 28 percent of those surveyed
  • Compliance investment priorities were then split across better auditing of what data is collected and why (18 percent), employment of a Data Protection Officer or other compliance personnel (18%), and new technology (17 percent). 7 percent said user education and training had been their biggest area of investment.

A lessening focus on GDPR in the last 12 months

A significant proportion (35 percent) of GDPR decision-makers said that the majority of compliance activity had taken place in the lead up to the May 2018 deadline and had since dropped down the priority list and remained less important. Only 6 percent said that the ICO’s recent high-profile announcements of its intention to fine British Airways and Marriott had subsequently shocked the business back towards greater awareness. While 70 percent of decision-makers surveyed said that their organization felt very positively about GDPR, less than two thirds (62 percent) said their business had made GDPR a top priority over the past year.

Tony Pepper, CEO, Egress comments: “Since the rush to meet last May’s deadline, we now appear to be seeing an ‘almost compliant is close enough’ attitude towards GDPR, with a significant percentage of decision-makers indicating that focus has waned in the past 12 months. The wait of more than a year between implementation and the first action taken by the ICO under GDPR seemed to lead to a perception outside the security industry that the regulation was ‘all bark and no bite’. Although the authority’s announcement that it intends to fine British Airways and Marriott such staggering sums sent shockwaves through the security community, it is concerning only 6 percent of organizations have taken action to avoid the full potential of the legislation. These announcements should definitely have acted as a clearer warning that organisations cannot risk compliance complacency.”


The survey was conducted in July 2019 by independent research organization OnePoll on behalf of Egress. 250 GDPR decision-makers were surveyed from companies of all sizes in sectors including IT; engineering and manufacturing; accountancy banking and finance; retail; business consultancy and management; education; healthcare. 33 percent of respondents worked for companies with more than 1000 employees (large). 32 percent worked for companies with between 250-999 employees (mid-size) and 35 percent worked for companies with <249 employees (small).

Want news and features emailed to you?

Signup to our free newsletters and never miss a story.

A website you can trust

The entire Continuity Central website is scanned daily by Sucuri to ensure that no malware exists within the site. This means that you can browse with complete confidence.

Business continuity?

Business continuity can be defined as 'the processes, procedures, decisions and activities to ensure that an organization can continue to function through an operational interruption'. Read more about the basics of business continuity here.

Get the latest news and information sent to you by email

Continuity Central provides a number of free newsletters which are distributed by email. To subscribe click here.