The Irish Computer Society and the Association of Data Protection Officers have released the results of the annual National Data Protection Survey. Over 200 Irish based data protection professionals took part with just over half of respondents from large organisations.
IT (41%) remains the most popular background for those with responsibility for data protection within organisations. Respondents showed concern about the ability to identify location of sensitive data which has increased from last year 34%/27%. Negligent employees are still perceived as the greatest threat illustrating the importance of not leaving responsibility for data protection at the door of IT or your organisation’s Data Protection Officer.
Less than 2 in 5 participants are sure their organisation is prepared for GDPR, given that we are little over 4 months away from GDPR enforcement this does appear concerning.
An increase in organisations with formal overseas transfer policies which is consistent with the demise of Safe Harbour and the new demands of GDPR but only 1 in 5 believe overseas transfer policies are rarely if ever implemented by employees.
Irish Data Protection professionals are most confident that staff understand information security policies (79%) and two-thirds are ‘very’ or ‘somewhat’ confident that staff know who to approach with data protection questions. Unfortunately, a perception that staff are not always aware of the importance of data protection procedures still remains.
Support for formal training and awareness increased – automating policies was also listed as one of the ways to best educate end-users about safe data protection practices, although automation is more likely a tool to reduce human error rather than eradicate it altogether. 45% said they had insufficient or no data protection training. The results reveal a perception that some data protection training provided by employers may be lagging behind in areas not related to GDPR – only 38% felt they were fully up to date.
Numbers of organisations experiencing data breaches in past 12 months remain largely consistent with the previous three years. Data breaches were reported as typically caused by staff members (54%) but incidence of malicious external attack is increasing 22% (15%). The good news is the majority are confident that organisations will learn from previous breaches - 86%.
One in three believe the risk of an external data breach has increased in the past year but three quarters of companies have taken measures to address external data breach risks. Upgrading security infrastructure is still the most common measure to address this risk closely followed by IT security audit and greater provisions for staff training.
Almost half of organisations have conducted a Privacy Risk Impact Assessment – considerably up on last year (34%) but 99% of respondents felt PRIAs were important so there is a big gap between those who feel they are important and the amount of PRIAs actually undertaken.
One in three were unsure whether their organisation processes Subject Access Requests (SAR) or Freedom of Information (FOI) requests. Opinion is spreading that GDPR will make processing SARs more onerous in future 62% (46%). The survey reported that Data Protection Officers are usually the person within an organisation responsible for managing SARs with one quarter of organisations who process SARS having seen an increase in the number of SARs in the past 12 months.
The full results of the survey will be published at the National Data Protection conference at Croke Park on January 24/25.
View the full survey results
Free three month trial membership
If you are not already a member you can receive free three-month membership by simply putting the code cpd215 in the subject line and mailing firstname.lastname@example.org.
Reading the survey earns you 2 cpd points in the informal learning category.