A national survey of IT professionals conducted by the Irish Computer Society revealed some interesting and thought-provoking statistics on the state of – and attitudes towards – data protection in Ireland.
Getting your house in order
In line with law, 79% reported having a named person responsible for Data Protection in their organisations, most of whom (70%) come from IT and Legal backgrounds. Under the GDPR, employment of a DPO will now be a legal requirement for Irish organisations. Given that legal challenges in Germany have shown a conflict of interest in IT departments holding responsibility for Data Protection, it will be interesting to see if responsibility for privacy will continue to be the remit of IT in the coming years.
The same goes for having your policies and procedures in order. 82% have an information security policy in place to safeguard their data, 64% have data breach policies, and 70% have policies to deal with data retention and destruction, to name a few.
Overseas transfer is an underrepresented area, with just 20% drafting a policy for it this year.
Breaching the walls
Managing a data breach has several steps, only some of which are accounted for by respondents. First, although 74% considered Risk Impact Assessments essential, only half of those admit to carrying one out in their organisation. Any lack of knowledge in this area could feed into poor policy development and, consequently, increased risk of data loss.
Data breaches have increased in the last year, with 61% of organisations reporting at least one in the past 12 months. More than half of these were caused by staff members, accounting for thousands of misplaced records.
The number of breaches by external attackers has also steadily increased in recent years, responsible for 15% of breaches in the 2016 Survey and increasing to 22% this year. 43% also cite an external attack as the greatest perceived threat for organisations, as well as employee negligence (36%) and end user devices containing sensitive data (36%).
Most are confident that they have learned and adapted from previous incidents, however confidence in managing day-to-day data protection concerns is lower than last year perhaps due to the changes brought by EU GDPR regulations.
Staying in the know
Data protection is an area that is difficult to stay on top of. IT professionals must be aware of what threats exist, how to prepare for them, and how to respond if an attack occurs. Formal training is still viewed as the best way to educate end users about Data Protection best practice, but fewer than 50% of DP Professionals feel they have received the right level of training – with higher levels reporting no training being received.
Worryingly, the survey shows a perception that staff not always aware of the importance of Data Protection Procedures, and are not confident enough to deal with them effectively. This waning in confidence could be due to lack of training/ awareness about EU GDPR.
Subject Access Requests are an area of concern, as well. One in three organisations are unsure whether their organisation processes Subject Access Requests or Freedom of Information requests, and survey data indicates a 27% increase in SARs in the past year (an area which looks likely to increase due to the legislation no longer allowing organisations to charge data subjects for SARs or FOI requests). This trend is set to continue, stemming from companies no longer being able to charge for Subject Access Requests under the GDPR. Almost half of survey respondents believe that the General Data Protection Regulations will make processing SARs more onerous.
The GDPR Threat
Big changes are coming, and the community is understandably on edge. The majority of respondents do not feel fully prepared for implementation of the EU General Data Protection Regulation yet only a slight increase in the numbers actively preparing for EU General Data Protection Regulations was reported.
The top three biggest concerns about the GDPR were:
• Stiffer financial penalties for non-compliance
• Accountability requirements (Audits, reporting breach incidents, risk impact assessments)
• New consent requirements
Commenting on the results of the survey, Lanre Oluwatona, DPO at the Irish Computer Society, said:
“There is definitely a pattern emerging. Looking through previous years, we can see a steady increase in the number of data breaches, and our level of training and awareness is to some extent reset to zero following the regulations. Keeping up with the legislation as well as the increasing incidence of external data breach attacks are forcing organisations to re-train their staff, refresh their policies and refortify their IT defences.”