GDPR 3 years on: 43% of UK organisations reported to the ICO for a data breach


Almost half (43%) of UK businesses have been reported (actually or potentially) to the ICO since the GDPR went into effect, according to a survey.

The study by Apricorn, a maker of software-free, hardware-encrypted 256-bit AES XTS USB drives, found that a third (33%) notified the ICO themselves, while 10% was reported by someone else.

Another 9% of the IT executives surveyed did not know whether a violation in their organization had been reported to the ICO.

The risk of a data breach is the concern that worries UK IT executives most when they think about data protection regulations, cited by 57% of respondents. Next on the list is tackling the multitude of data threats (42%).

The survey results also suggest a lack of cyber resilience within companies, which is likely to affect their ability to manage, respond to, and recover from the risk of a data breach. Respondents also reported difficulties in properly identifying or locating data (33%), understanding data obligations (31%), and securing data appropriately (25%).

Also, when asked about the top challenges associated with implementing a cybersecurity plan for remote / mobile work, 39% of IT executives said they couldn’t be sure that their data was adequately secured, and 18% said not having a good understanding of which records need to be encrypted and 15% have no control over where company data goes and where it is stored.

Jon Fielding, Apricorn Managing Director EMEA, said, “Prioritizing cyber resilience building strengthens a company’s ability to prepare, respond to, and recover from a cyber attack. It is important to know which data you collect, process and save in compliance with data protection regulations, where it is located and who has access. A cyber-resilient organization can quickly retrieve and restore data after an incident, identify and remedy the cause, while demonstrating transparency and due diligence to regulators. ”

Resilience can be improved by focusing on four areas:

• Employee training. As noted in the latest Information Commissioner’s Office (ICO) security incident trend report, inside risk is the single largest contributor to most data breaches. It is critical that employees understand their responsibility in protecting the information they have access to in accordance with their corporate security policy. Whenever possible, policies should be automated and enforced through technologies like Endpoint Control blocking USB ports so that only company-approved devices are accepted.
• Standard encryption of all company data. This is an important compliance tool: Proving that the information has been properly secured reduces a company’s obligations under the GDPR, while ensuring that any breached data can only be accessed by someone who is authorized to do so.
• Make offline backups mandatory. Whether backed up centrally and / or locally by each employee on a company-approved encrypted storage device, this ensures that data can be restored at any time and at the same time provides a line of defense against ransomware attacks.
• Get an up-to-date visibility of all data. Organizations need to be able to map the lifecycle of their data from capture to deletion, including who has access and whether it was or could be at risk. This enables a quick and accurate response to incidents – and to questions from regulators.

The Apricorn survey shows that companies are realizing the importance of enterprise-wide data encryption. 31% of respondents said that their company now requires standard encryption of all data, whether it is at rest or in transit, and another 24% when it does, stored on their systems or in the cloud. Three quarters (77%) agree that their company has a policy to encrypt all data on removable media.

Jon Fielding continues: “We expect cyber attacks to increase as hackers take advantage of employees getting a grip on a new way of working. By providing removable USB sticks and hard drives that automatically encrypt all data written to them, companies can give everyone the ability to securely store data and move it offline. These devices can also be used to back up data locally, mitigate the risk of targeting in the cloud, and help the company get up and running quickly after a security breach or other disruptive event. ”

About the survey

The investigation was conducted by Vanson Bourne in March 2021. Respondents were 100 UK IT decision makers (CIOs, IT directors, IT directors, senior IT managers, etc.) from corporate organizations (1000+ employees) including financial services, IT, manufacturing, business and professional services.