#privacy: More than half of UK businesses are not fully GDPR compliant

Data Protection Authority

Research by Egress has revealed that 52% of UK businesses are still not fully compliant with GDPR regulation since its implementation.

The survey of UK GDPR decision-makers found that 37% of respondents had reported an incident to the ICO in the past year, to which 17% having done so more than once.

Interestingly, it was noted that in the past 12 months 36% of small companies had reported data breaches to the ICO in comparison to mid-size companies (53%). Whilst only 23% of enterprise organisations reported data breaches to the ICO.

Similarly a lower percentage of mid-sized companies (39.5%) reported full GDPR compliance in comparison to large (56%) and small (51%) companies. These figures indicated a clear gap in compliance performance among mid-size companies.

Tony Pepper, CEO, Egress said: “Since the rush to meet last May’s deadline, we now appear to be seeing an ‘almost compliant is close enough’ attitude towards GDPR, with a significant percentage of decision-makers indicating that focus has waned in the past 12 months.”

Decision makers were asked about their single greatest area of compliance investments, to which 28% chose implementing new processes around the handling of sensitive data, 18% cited better auditing around what data is collected and for what reasons, another 18% chose the employment of a Data Protection Officer or other compliance staff, whilst 8% cited implementing new procedures around incident reporting.

However despite these investments, 37% of decision makers had reported at least one incident to the ICO in the last 12 months.

The survey also revealed that over one third (35%) of decision makers said that GDPR has become less of a priority for their organisation since its implementation in the past 12 months.

Pepper added “we continue to see data breach incidents being reported and we know from the ICO that the primary cause is human error – so clearly strategies need to shift if we are going to turn the tide against data breaches.”

“Reliance on people to follow processes and protect data is only going to get organisations so far: people are always going to make mistakes or behave unexpectedly, and more must be done to provide a safety net that protects sensitive information.”

“It’s positive to see that almost one-fifth (17%) of respondents are looking to technology as a way to mitigate breaches, but they must ensure these solutions tackle human error as the root causes of many of these incidents. They must look to the latest advances in security and DLP technology that can map a user’s behaviour to prevent the array of mistakes that put data at risk – from falling for phishing attacks that can lead to malware or stolen credentials, to misdirecting emails or attaching the wrong documents. GDPR is here to stay, and we’re only going to see more companies penalised for data breaches unless we’re able to overcome these issues.”


PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.

For more information on upcoming events, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.