Why are organisations failing to comply with data protection legislation?

May 7, 2024

In my opinion, the failure of organisations to comply with data protection legislation is an increasingly serious issue.

What is the justification for this opinion?

Over the last seven years I have been working with organisations that struggled with data protection compliance for the following reasons:

The complexity of the legislation

In the UK we have the Data Protection Act 2018 (also known as UK’s version of the General Data Protection Regulation – UK GDPR).  Previously, the legislation was totally aligned with the European Union under the General Data Protection Regulation – GDPR.  Now, that alignment isn’t the same, subtle differences exist but overall the differences are small and the law hasn’t changed that much since the introduction in May 2018.

UK Data Protection Act 2018

However, most organisations don’t understand the complex set of legal requirements that they have to meet in order to fully comply with the legislation.  In my experience, this isn’t generally because they aren’t trying it’s because they simply don’t understand it.  When GDPR came into force in 2018, the communication was poor at best and the focus was on only a fraction of the legislative requirements.  Of course, this has meant that not only is the legislation not being followed, organisations are basically ignorant of the requirements.  Ignorance is no defence under the law, but little has improved in the last six years to improve this understanding and awareness of what is actually required.

Another key factor here is that there isn’t a simple checklist of things that has to be done, it differs from organisation to organisation.  This lack of a certifiable standard means that organisations aren’t able to easily acknowledge where the gaps are and do something about them.

Resources

Most organisations, especially small to medium sized enterprises cannot afford to hire the skilled and specialist resources needed to achieve and maintain compliance.  Even if they can afford the salary, these resources are not easy to hire the right person for the role.  Existing resources are being assigned ‘compliance specific accountabilities’ including being assigned the role as the Data Protection Officer (DPO).  However, again from experience, these resources aren’t complying with the legal requirements as stated in the legislation. For example, most internally appointed DPO’s still have some form of ‘conflict of interest’ and are often not appropriately trained.

Without the right level of resource, how are organisations supposed to comply?

There is an obvious answer to this but I will discuss that later in this blog.

Data security

There are numerous requirements in data protection legislation regarding the need to keep personal data safe.  In summary, an organisation has to do ‘everything in its power’ to secure personal data.  In pragmatic terms, an organisation has to do ‘everything that is both technically and financially feasible’ to do in relation to data security.

From experience, this simply isn’t happening in the vast majority of organisations.  Latest statistics suggest that 70% of organisations recognise that there is a gap in their application of security controls around personal data.  That is a shocking admission, one that aligns with my own experiences when reviewing the security of personal data and the control measures in place.  The sad reality is that the most likely cause of a data protection incident is a data breach linked to a data security issue. This will likely be due to a lack of training, a lack of the appropriate technical controls or issues with processes that are not fit for purpose.

dps blog 07

Another sad reality is that approximately 60% of organisations suffered at least one type of ransomware attack in the last 12 months.  It remains a case of ‘when’ that happens rather than ‘if ‘that will happen.  Organisations are obliged to properly prepare for this and other forms of attack that could impact the loss, theft or restricted access to personal data.  My experience is that organisations aren’t doing enough and have to do more.

It won’t happen to me syndrome

I have never had anyone in an organisation admit this but in many cases there is an underlying opinion that we aren’t going to get fined if anything happens and no one is going to turn up on our doorstep and audit us.  Of course, this simply isn’t true, the risk of being fined is real, especially when you take into account the risk of a data breach is increasing year on year.  I do genuinely feel that the Information Commissioner (ICO) should audit more organisations, however they do publish details of their enforcement action and auditing activities on their website (https://ico.org.uk).

This general apathy towards the legislation is changing, but slowly.  More and more organisations are questioning their suppliers (as they are obligated to do) about their data protection compliance.  This assessment though is often limited or not done at all.  Legislation in this space is failing to be enforced or even understood as per my previous comments above.

What can organisations do about this in order to actively manage their compliance?

Well the obvious starting point is to assess their current status.  A data protection audit is the only way that an organisation is going to both discover the gaps and also be able to acknowledge that there is a genuine issue that needs to be addressed.

Another key activity is to ensure that they understand the details of the personal data processing that they carry out.  Not only is this a legal requirement but it forms the building block for data protection compliance.  Having said that, many organisations have done this, especially prior to May 2018, but from experience, not many of these organisations have kept this up to date.

Resource is vital, outsourcing presents the obvious means by which organisations can bring in the skilled and experienced resources they need to bridge the gaps.  Outsourcing the DPO role is one way that this can be done cost effectively and also meet the critical ‘no conflict of interest’ requirement.  (More details on DPO as a Service).  Organisations have to ensure that there is accountability in place for both data protection and data security within their org structure.  This is obviously challenging for small organisations but that’s where Data Privacy Services can assist across both data protection and data security requirements.

dps img 06

The data security challenge is not insignificant, I completely understand that.  However, having your head in the sand isn’t the answer either, so take the initiative and do the basics right.  Audit your security posture, understand where the gaps are, review the opportunities for improvement.  Risk identification and management is vital in securing the necessary senior leadership support.  Again, there is a general lack of understanding of the financial risk posed from a data breach.  A single breach could cost an organisation up to 4% of their overall annual turnover (of the group if that applies) in regulatory penalties plus the costs of incident recovery e.g. loss of earnings due to downtime and other costs such as forensic analysis.  Avoidance of this risk is the best option, but it comes at a price in terms of effort and investment.

The perception that it ‘isn’t going to happen to us’ is a harder one to address.  Organisations apathy towards the legislation is something that to some degree, I can understand.  However, the risks are so high when you factor in how risk is evaluated. The likelihood of a data protection incident is extremely high as is the subsequent impact, especially if the organisation is found to be non-compliant. That means the risk exposure is also high, so why would organisations accept this risk?  The simple answer is they still don’t believe it will actually happen to them.

The evidence now suggests otherwise and decision makers need to understand the potential for serious financial loss, obvious damage to their reputation and the often ignored potential for individual litigation.

How can Data Privacy Services help?

Our range of services are designed to protect our customers, reduce their risk and ensure that if the worst happens (which it does) then the impact is reduced.  Please feel free to contact me personally on email.

George Harris – CEO Data Privacy Services

 

 

 

Request a callback

Schedule a call with us using Microsoft Teams