UK organizations urged to get ready for tougher data protection laws
New research released today by the UK government shows that fewer than half of all businesses and charities are aware of new data protection laws with just four months to go before they come into force.
Knowledge varies by industry, businesses in the finance and insurance sectors have the highest awareness of the changes to be brought in through the EU's General Data Protection Regulation (GDPR), which is to be implemented in UK law via the Data Protection Bill in May 2018.
Businesses in the construction industry have the lowest awareness, with only one in four aware of the coming regulation. Awareness is higher among businesses which report that their senior managers consider cyber security is a fairly high or a very high priority, with two in five aware of the GDPR.
More than a quarter have already made changes to their operations ahead of the new laws coming into force. Of these, just under half of businesses, and just over a third of charities, have made changes to cyber security practices, including creating or improving cyber security procedures, hiring new staff and installing or updating anti-virus software.
"We are strengthening the UK's data protection laws to make them fit for the digital age by giving people more control over their own data," says Secretary of State for Digital, Culture, Media and Sport, Matt Hancock, speaking at the World Economic Forum in Davos. "And as these figures show many organisations still need to act to make sure the personal data they hold is secure and they are prepared for our Data Protection Bill. There is a wealth of free help and guidance available from the Information Commissioner’s Office and the National Cyber Security Centre, and I encourage all those affected to take it up."
The bill will give Information Commissioner's Office (ICO) more power to defend consumer interests and issue higher fines, of up to £17 million or 4 per cent of global turnover, for the most serious data breaches.
While there is no grace period for implementation, however, the ICO says those who self-report, who engage with the ICO to resolve issues and demonstrate effective accountability, can expect this to be taken into account when the ICO considers taking action.