More than half of UK businesses are taking GDPR compliance risks

Published: Wednesday, 11 September 2019 08:45

A survey of UK GDPR decision-makers conducted on behalf of Egress, has found that 52 percent of businesses are not fully compliant with the regulation, more than a year after its implementation. The survey also found that 37 percent of respondents had reported an incident to the ICO in the past 12 months, with 17 percent having done so more than once. Interestingly, the results showed that over half (53 percent) of mid-size companies had reported data breaches to the ICO in the past 12 months, compared with 36 percent of small companies and only 23 percent of enterprise organizations. Similarly, a notably lower percentage (39.5 percent) of mid-sized companies reported full GDPR compliance compared with 56 percent of large and 51 percent of small companies. Taken together, these figures indicate an evident gap in compliance performance among mid-size companies.

Other key survey findings include:

A lessening focus on GDPR in the last 12 months

A significant proportion (35 percent) of GDPR decision-makers said that the majority of compliance activity had taken place in the lead up to the May 2018 deadline and had since dropped down the priority list and remained less important. Only 6 percent said that the ICO’s recent high-profile announcements of its intention to fine British Airways and Marriott had subsequently shocked the business back towards greater awareness. While 70 percent of decision-makers surveyed said that their organization felt very positively about GDPR, less than two thirds (62 percent) said their business had made GDPR a top priority over the past year.

Tony Pepper, CEO, Egress comments: “Since the rush to meet last May’s deadline, we now appear to be seeing an ‘almost compliant is close enough’ attitude towards GDPR, with a significant percentage of decision-makers indicating that focus has waned in the past 12 months. The wait of more than a year between implementation and the first action taken by the ICO under GDPR seemed to lead to a perception outside the security industry that the regulation was ‘all bark and no bite’. Although the authority’s announcement that it intends to fine British Airways and Marriott such staggering sums sent shockwaves through the security community, it is concerning only 6 percent of organizations have taken action to avoid the full potential of the legislation. These announcements should definitely have acted as a clearer warning that organisations cannot risk compliance complacency.”


The survey was conducted in July 2019 by independent research organization OnePoll on behalf of Egress. 250 GDPR decision-makers were surveyed from companies of all sizes in sectors including IT; engineering and manufacturing; accountancy banking and finance; retail; business consultancy and management; education; healthcare. 33 percent of respondents worked for companies with more than 1000 employees (large). 32 percent worked for companies with between 250-999 employees (mid-size) and 35 percent worked for companies with <249 employees (small).