This weekend marks the first anniversary of the introduction of the EU’s General Data Protection Regulation (GDPR). The findings from a new survey announced by Apricorn reveal that organisations are getting some things right, others less so, when it comes to the impact of GDPR on informing security policy.
The survey notes a surge, albeit a relatively modest one, in enterprises implementing data encryption by default. According to Apricorn, close to 66 percent of organisations now hardware encrypt their data, this compares with only half enforcing such a policy last year.
About 41 percent state there has been an increase in the implementation of data encryption at rest and in transit since GDPR day zero, demonstrating that compliance is having a positive impact upon security policy.
The survey also suggests that this impact is being felt at board level, where the C-suite is now owning the security budget for 86 percent of the companies surveyed. A big slice of that budget is heading in the direction of GDPR compliance, 30 percent on average, itself a huge jump from the 13.7 percent reported in 2018.
It's not all good news though, as 24 percent of those who are compliant this year say there wasn't any need for further budget or resources to be allocated. This, despite a whopping 98 percent of them agreeing last year that both the budget and the resources continue to be needed once compliance was achieved.
This, and the fact that 27 percent equated a lack of encryption as being a main cause of a data breach at their organisation, would seem to suggest there's more work to be done when it comes to fully grasping the infosecurity nettle.
Jon Fielding, the managing director (EMEA) at Apricorn, agrees to this. "It’s clear that organisations are getting their houses in order," he said. "But there still seems to be a long way to go in terms of education and awareness. Organisations need to be mindful that GDPR is an ongoing process and not just a tick box exercise."
This means enforcing and updating policies and investing in regular employee awareness training. Awareness still remains lacking in too many organisations, according to David Smith, head of GDPR technology for SAS UK & Ireland.
"All that the first year of GDPR enforcement has really shown us is the depth of confusion over the regulation," Smith said. "It may be the topic that we’ve all heard enough about, but the simple fact is that widespread compliance simply hasn’t happened."
SAS research found that 56 percent of consumers have plans to activate their rights under GDPR, indicating that the risk from non-compliance is high and growing.
This brings us back to the importance of encryption. While the lack of encryption itself doesn't make you more likely to suffer a data breach, it does make any such breach more costly to both customers whose information is compromised and the business bottom line.
Encryption is mentioned in the protection of sensitive data in Article 32 of the GDPR. Article 34 makes clear how obligations towards breached data subjects are reduced where the breached data has been encrypted.