U.K. Businesses Feel Financial Crunch From Data Protection Changes

Upcoming changes to EU data protection regulation are imposing a significant financial burden on organizations, finds a new study.

Europe data protection regs

By Matthew Broersma

United Kingdom businesses, along with their counterparts in Germany and France, are more aware of upcoming changes to the EU's data protection regime than a year ago, with most finding the changes are imposing a financial burden on their operations, according to a new study.

More than two-thirds, or 68 percent, of the IT professionals surveyed for the study said keeping up to date with the changes was a financial burden, with British respondents more adamant in this regard, at 77 percent, compared to 66 percent in France and 61 percent in Germany.

Regulatory Shift

The survey, carried out by Vanson Bourne on behalf of U.S.-based software maker Ipswitch, is intended to monitor business' readiness for the General Data Protection Regulation (GDPR), due to come into European Union law by the end of this year. The draft GDPR, which affects any organization that collects, stores, processes and shares personal data on employees, customers or partners, imposes more stringent data protection rules and carries far more serious penalties for non-compliance of up to two percent of a company's annual global turnover.

The regulation is, in turn, partly a response to an increasingly volatile data landscape in which the spread of mobile devices, increased data sharing and other factors have made it increasingly difficult to safeguard personal data, and high-profile data breaches have become increasingly commonplace.

The study found awareness of the regulation has improved since this time last year, with 69 of those surveyed acknowledging it will affect their businesses—last year more than half of respondents, or 56 percent, couldn't accurately identify what "GDPR" meant.

However, 18 percent said they still had no idea whether the regulatory changes affected them, in spite of acknowledging that they do store and process personal data. Ninety percent of the IT professionals surveyed—100 in the UK, 100 in France and 100 in Germany—said their business stores personal data, with 86 percent processing it and more than one-third, or 40 percent, sharing it externally via means including email, portable storage and the postal system.

In order to maintain compliance, businesses will need to review their policies and processes around data management, including file sharing practice, perimeter defenses and encryption technologies, and make IT and training investments, according to Ipswitch.

Data Globalization

"Whil[e] IT professionals recognize the need to align data protection regulation to keep up with modern data sharing practices and the globalization of data, it is clear that compliance comes at a price for most,” said David Juitt, the company's chief security architect, in a statement. "Whil[e]many are trying to prepare by organizing training and assigning resource, there’s clearly a very large expectation of a need to invest in new technologies."

Sixty-nine percent of those surveyed said they will need to invest in new technologies and services to prepare for GDPR, while 51 percent said their business has already allocated training budget to help staff comply with the regulation. Exactly one-half said their organization has allocated internal training resource to aid compliance.

Of the technologies companies believe they will need to invest in, 62 percent said they were likely to need new encryption technologies, with 61 percent investing in analytic and reporting, 53 planning to buy perimeter security and 42 percent file-sharing tools, Ipswitch said.