A survey of UK GDPR decision-makers conducted on behalf of Egress, the provider of people-centric data security solutions, reveals that 52% of businesses are not fully compliant with the regulation, more than a year after its implementation.

The survey also found that 37% of respondents had reported an incident to the ICO in the past 12 months, with 17% having done so more than once. Interestingly, the results showed that over half (53%) of mid-size companies had reported data breaches to the ICO in the past 12 months, compared with 36% of small companies and only 23% of enterprise organisations.

Handling of sensitive data

These figures indicate an evident gap in compliance performance among mid-size companies

Similarly, a notably lower percentage (39.5%) of mid-sized companies reported full GDPR compliance compared with 56% of large and 51% of small companies. Taken together, these figures indicate an evident gap in compliance performance among mid-size companies.

Other key survey findings include:

  • Only half of decision-makers (48%) reported that their business was fully compliant
  • 42% rated their organisation as ‘mostly compliant’
  • Over one-third (35%) said GDPR has become less of a priority for their organisation in the last 12 months
  • Implementing new processes around the handling of sensitive data has been the greatest area for compliance investment in the last 12 months, cited by 28% of those surveyed
  • Compliance investment priorities were then split across better auditing of what data is collected and why (18%), employment of a Data Protection Officer or other compliance personnel (18%), and new technology (17%). 7% said user education and training had been their biggest area of investment.

Making GDPR a top priority

We now appear to be seeing an ‘almost compliant is close enough’ attitude towards GDPR"

A significant proportion (35%) of GDPR decision-makers said that the majority of compliance activity had taken place in the lead up to the May 2018 deadline and had since dropped down the priority list and remained less important. Only 6% said that the ICO’s recent high-profile announcements of its intention to fine British Airways and Marriott had subsequently shocked the business back towards greater awareness.

While 70% of decision-makers surveyed said that their organisation felt very positively about GDPR, less than two thirds (62%) said their business had made GDPR a top priority over the past year. Tony Pepper, CEO, Egress comments: “Since the rush to meet last May’s deadline, we now appear to be seeing an ‘almost compliant is close enough’ attitude towards GDPR, with a significant percentage of decision-makers indicating that focus has waned in the past 12 months.”

Taking necessary steps towards protecting data

The wait of more than a year between implementation and the first action taken by the ICO under GDPR seemed to lead to a perception outside the security industry that the regulation was ‘all bark and no bite’. Although the authority’s announcement that it intends to fine British Airways and Marriott such staggering sums sent shockwaves through the security community, it is concerning only 6% of organisations have taken action to avoid the full potential of the legislation. These announcements should definitely have acted as a clearer warning that organisations cannot risk compliance complacency.”

This is important for businesses in the small and mid-market segments, where our survey found lower compliance levels being reported. Although the ICO’s action to date has focused on two well-known enterprise organisations, GDPR demands compliance from businesses of all sizes and they need to take all necessary steps towards protecting data.”

End-user education and training

When asked about their single greatest area of compliance investments, decision-makers chose:

  • Implementing new processes around the handling of sensitive data (28%)
  • Better auditing around what data we collect and for what reasons (18%)
  • Employment of a Data Protection Officer or other additional compliance staff (18%)
  • New technology (17%)
  • Implementing new procedures around incident reporting (8%)
  • End-user education and training (7%)

Security-related personal data breach incidents

Over one-third of respondents (37%) have reported at least one incident to the ICO in the last 12 months

Yet despite these investments, over one-third of respondents (37%) have reported at least one incident to the ICO in the last 12 months. According to analysis of ICO data, 60% of security-related personal data breach incidents in the first six months of 2019 were caused by human error.

Pepper adds: “The majority of respondents (96%) acknowledged their organisation has made investments in GDPR compliance in the last 12 months, with implementing new processes the most common top priority. Yet despite this, we continue to see data breach incidents being reported and we know from the ICO that the primary cause is human error – so clearly strategies need to shift if we are going to turn the tide against data breaches.”

Latest advances in security and DLP technology

Reliance on people to follow processes and protect data is only going to get organisations so far: people are always going to make mistakes or behave unexpectedly, and more must be done to provide a safety net that protects sensitive information.”

GDPR is here to stay, and we’re only going to see more companies penalised for data breaches"

It’s positive to see that almost one-fifth (17%) of respondents are looking to technology as a way to mitigate breaches, but they must ensure these solutions tackle human error as the root causes of many of these incidents.”

They must look to the latest advances in security and DLP technology that can map a user’s behaviour to prevent the array of mistakes that put data at risk – from falling for phishing attacks that can lead to malware or stolen credentials, to misdirecting emails or attaching the wrong documents. GDPR is here to stay, and we’re only going to see more companies penalised for data breaches unless we’re able to overcome these issues.”

Share with LinkedIn Share with Twitter Share with Facebook Share with Facebook
Download PDF version

In case you missed it

Embracing digital transformation in the security industry
Embracing digital transformation in the security industry

Many industries are, to a greater or lesser extent, in the throes of digital transformation. As with any change programme, digital transformation efforts often under-perform against expectations. Yet, the number of digital transformation programmes continue to increase, as commercial pressures intensify. As security professionals we need to embrace our role in digital transformation, as security is everybody’s business. For all those people weary of hearing about digital transformation and believe it’s a business fad, consider your own behaviours. If you use a smartphone to search, find, order, buy, message, watch, learn, play, bank, pay, enter, exit, navigate, communicate and more then you are part of the reason that digital transformation is a commercial necessity. The way we live our lives has changed significantly over the past twenty years and this needs to be reflected into how we rethink the way we do business. Digital transformation is about more than technology, it allows people to solve their traditional problems in new and better ways than before. Better can mean faster, at lower cost, using fewer resources, easier to maintain, more compliant and/or easier to report insights. IoT, criminal activity and security  The number of internet connected devices worldwide is increasing at an exponential rate; by the end of 2025 there are expected to be 75.44 billion. Internet of Things (IoT) means digital transformation converges physical and digital for security professionals. Criminals use smarter digital tools such as malware, drones, key cloners, signal readers and more, which impact both physical and cybersecurity. To counter this, digital transformation provides security professionals with access As security professionals we need to embrace our role in digital transformation, as security is everybody’s businessto valuable actionable insights to identify and deter threats to people and assets. All transformation starts with an idea generated by people and ends with people experiencing the output. Therefore, digital transformation starts and ends with people. To ensure a solid foundation to any digital transformation agenda, people need to have a clear purpose to engage. This is where security leaders can inspire their colleagues with a laudable purpose of embracing disruption at the same time as focusing on safeguarding people and assets. Non-security colleagues should understand that security risks are advancing at a faster pace than enterprises can adapt. As a security leader, you are advocating a movement where your colleagues adopt relevant enterprise security risk management practices in their daily thinking and working. The message is clear that digital transformation presents abundant opportunities and these need to be evaluated alongside the proliferating security threats that can become a business continuity failure. Security professionals and digital influence  The number of internet connected devices worldwide is increasing at an exponential rate; by the end of 2025 there are expected to be 75.44 billionSecurity professionals can influence digital transformation success by translating an enterprise’s strategy into secure operational reality. The security narrative should emphasise the people side of digital transformation and how technology can act as an enabler of a safe and secure experience, both for employees and customers. Operationally, digital transformation is about agility, adaptability and navigating uncertainty. Old ways of thinking and working will be blockers to transformation, so security leaders ought to identify the rapid enablers of a ‘secure’ digital transformation. Better people, processes and overall technology People generally don’t want more in their lives, they want better. Better people. Better data. Better technology. Better processes. Digital transformation creates significant ‘better’ benefits for security: For example, connected (IoT) sensors, video analytics at the edge and machine learning identify threats faster; workflow technologies and automation detect, investigate and remediate routine responses; cloud provides many benefits such as agility, scale and mobility; and, smartphones/digital devices provide real-time communication and collaboration. Tackling all the ‘better’ needs within a security approach is necessary – focusing on the prioritised commercial needs first. Think about how to drive radical simplification into digital transformation agendas to ensure complexity doesn’t create too many unmanageable risks. Designing enterprise security risk management into the business operating model will facilitate colleagues to be empowered for safe and secure change. Communicating security successes and breaches with commercial impact insights in a timely and concise manner across the enterprise will prove the value of active security engagement throughout digital transformation programmes. Transforming the world Digital technology is transforming the world around us, in a way that impacts every area of security. Security professionals are now businesspeople and technologists, in addition to their traditional security remits. Embracing this impacts security recruitment, training and employee engagement, within the security team and with non-security colleagues. Without a doubt, security professionals are integral to digital transformation programmes.

What are the security challenges of protecting utilities?
What are the security challenges of protecting utilities?

Utilities are an important element of critical infrastructure and, as such, must be protected to ensure that the daily lives of millions of people continue without disruption. Protecting utilities presents a unique range of challenges, whether one considers the electrical grid or telecommunications networks, the local water supply or oil and gas lines. Security technologies contribute to protecting these diverse components, but it’s not an easy job. We asked this week’s Expert Panel Roundtable: What are the security challenges of protecting utilities?

Q&A: how the ‘secret service of Hollywood’ protects celebrities
Q&A: how the ‘secret service of Hollywood’ protects celebrities

At a major music festival, a fan in the crowd aggressively leapt over a barricade to approach a famous artist. Personnel from Force Protection Agency immediately implemented extrication protocol to shield the artist from physical harm, quickly reversed course and calmly led the client away from the threat. Force Protection Agency (FPA) personnel intentionally did not engage the threatening fan in any way, as local venue security personnel were present and tasked with apprehending the rogue fan. FPA’s efforts were directed expressly toward the protection of the client, avoiding unnecessary escalation or complications and minimising physical, visual, and legal exposure. Dedicated to the safety of clients Force Protection Agency is a unique, elite-level agency inspired by a vision for excellence and innovation Specialising in protecting celebrities and high-net-worth individuals, Force Protection Agency is a unique, elite-level agency inspired by a vision for excellence and innovation, and dedicated to the safety and success of clients. The agency was formed in 2017 by Russell Stuart, a California State Guard officer and security and entertainment industry veteran. The agency is the culmination of 20 years of experience in the fields of security, military, emergency management, logistics and technology, media and entertainment, and celebrity management. We interviewed Russell Stuart, Founder and CEO of Force Protection Agency (FPA), which has been called “the Secret Service of Hollywood,” for his insights into providing security for celebrities. Q: What unique need in the marketplace do you seek to serve, and how are you qualified to serve it? Stuart: The needs of celebrity and high-net-worth clients are complex and constantly changing. When dealing with a high-profile individual, discretion is paramount, extensive communication is required, and adaptation is ongoing. A critical objective is anticipating and planning for all types of potential negative scenarios and preventing them from even starting, all while not disrupting the normal course of operation of the client's day or their business. Force Protection Agency is poised to serve these needs by innovating and intelligently managing the planning, procedures, and personnel used in every facet of protecting the client’s interests and achieving their objectives. Q: What is the typical level of "professionalism" among bodyguards and security professionals that protect celebrities? Why does professionalism matter, and how do you differentiate yourself on this point? Stuart: Professionalism is an overall way of approaching everything to do with the business, from recruiting, to training, to making sure the right agent is with the right client. Nothing matters more; polish and precision are not only critical to mission success, but also support the comprehensive best interest of the client while preventing costly collateral damage and additional negative consequences. True “professional protective services" is intelligent strength and proper execution, not emotional or reactionary violence. Unfortunately, the latter is frequent among many celebrity bodyguards, and often incurs extremely expensive and even dangerous repercussions. Q: Your company has been described as "the Secret Service of Hollywood." How true is that comparison, and how does your work differ from (e.g.) protecting the President? Force Protection Agency prides itself on providing its services with discretion, precision, and poise Stuart: Totally true, and for this reason: the keys to success in protection are prioritization, and planning. Most people fail to even recognise the first, negating any level of effort given to the second. Establishing the true needs and the correct priority of objectives for each individual client and situation, and firmly committing to these without deviation, are what distinguishes both government secret services and Force Protection Agency from the vast majority of general security firms. Also, the term “secret service” implies an inconspicuous yet professional approach, and Force Protection Agency prides itself on providing its services with discretion, precision, and poise. Q: What is the biggest challenge of protecting celebrities? Stuart: The very nature of celebrity is visibility and access, which always increases risk. The challenge of protecting a high-profile individual is facilitating that accessibility in a strategic and controlled manner while mitigating risk factors. A client’s personal desires and preferences can often conflict with a lowest risk scenario, so careful consideration and thorough preparation are essential, along with continual communication. Q: How does the approach to protection change from one celebrity (client) to another? What variables impact how you do your job? Stuart: The approach is largely determined by the client’s specific needs, requests and objectives. The circumstances of a client's activities, location, and other associated entities can vastly disrupt operation activities. A client may prefer a more or less obvious security presence, which can impact the quantity and proximity of personnel. Force Protection Agency coordinates extensively with numerous federal, state, and municipal government agencies, which also have a variety of influence depending on the particular locations involved and the specific client activities being engaged in.  Q: Are all your clients celebrities or what other types of "executives" do you protect – and, if so, how are those jobs different? Stuart: Force Protection Agency provides protective services for a wide range of clients, from the world’s most notable superstars to corporate executives and government representatives. We also provide private investigation services for a vast variety of clientele. Force Protection Agency creates customised solutions that surpass each individual client’s needs and circumstances. The differences between protecting a major celebrity or top business executive can be quite different or exactly the same. Although potentially not as well known in popular culture, some top CEOs have a net worth well above many famous celebrities and their security needs must reflect their success. Q: What is the role of technology in protecting famous people (including drones)? Technology is crucial to the success of security operations Stuart: Technology is crucial to the success of security operations and brings a tremendous advantage to those equipped with the best technological resources and the skills required to maximise their capabilities. It affects equipment such as communication and surveillance devices like drones, cameras, radios, detection/tracking devices, GPS, defensive weapons, protective equipment, and more. Technology also brings immense capabilities to strategic planning and logistical operations through the power of data management and is another aspect of Force Protection Agency operation that sets us apart from the competition. Q: What additional technology tools would be helpful in your work (i.e., a “technology wish list”)? Stuart: The rapidly growing and evolving realm of social media is a massive digital battlefield littered with current and potential future threats and adversaries. Most mass shooters as of late have left a trail of disturbing posts and comments across social media platforms and chat rooms that telegraphed their disturbing mindset and future attacks. A tool that could manage an intelligent search for such threats and generate additional intel through a continuous scan of all available relevant data from social media sources would be extremely useful and could potentially save many lives. Q: Anything you wish to add? Stuart: Delivering consistent excellence in protection and security is both a vital need and a tremendous responsibility. Force Protection Agency is proud of their unwavering commitment to “Defend, Enforce, Assist” and stands ready to secure and satisfy each and every client, and to preserve the life and liberty of our nation and the world.