The latest Data Protection Index results provide insight on the big privacy and data protection issues facing UK and international businesses. The UK is in the process of reforming its data protection law, with the current government offering a smaller scaled consultation to see how stakeholders and organisations view the plans. Around 15 per cent of respondents to the latest survey believe that a “complete rewrite” of the law was likely.
The majority of data protection and privacy (DPO) experts (51 per cent) predict that the current UK government will continue with the current data protection reforms as per the consultation that began under the Johnson government. The second-most popular prediction was that the UK would “revert back to UK GDPR” (27 per cent).
“The DCMS consultation on data protection is continuing to cause confusion,” said Rob Masson, CEO of The DPO Centre. “Since the last Data Protection Index, there has been two changes in Prime Minister, leading to some uncertainty regarding the direction of these planned reforms. My concern is that organisations need to understand that any regulatory change is unlikely to be realised for many months, or even years from now. Therefore, businesses should be mindful of the fact that, for the foreseeable future, the UK GDPR as it stands still applies.”
The index asks DPOs which issues they see as their organisations’ biggest compliance challenge over the next 12-month period:
This quarter, “data retention” again ranked as the biggest GDPR compliance concern, with 29 per cent of respondents identifying it as their organisations’ top compliance challenge for the next 12 months (up 1 percentage point since last quarter).
The second biggest GDPR compliance challenge identified by respondents was “international data transfers”, with 18vper cenrt of respondents identifying this as their organisations’ top compliance challenge.
For the fourth quarter running, no respondents identified COVID-19 as their biggest compliance challenge, aligning with the relaxation on the requirement to document COVID-19 cases.
This quarter The DPO Centre asked respondents for their views on the European Data Protection Board’s (EDPB) October Guidelines on personal data breaches under GDPR, and whether the respondents though the new requirement ‘to notify personal data breaches to every single authority’ would be problematic for their organisation. 36 per cent of the respondents scored it an 8 or above. This has generally reflected the concerns raised online by the wider data protection community and the worries that this could have on businesses. Although, it is worth noting that 11 per cent of respondents stated that the EDPB’s guidance would be “not at all problematic”.
Finally, privacy and data protection experts were set a malware encryption attack scenario with a ransom for the return of access.” When asked if “would your organisation pay the ransom?” The proportion of respondents answering “yes” (their organisation would pay the ransom) fell significantly this quarter, from 26 per cent to 17 per cent, likely to suggest a hardening positioning amongst companies regarding cyberattacks.