Sophos survey reveals fewer than a quarter of staff in UK, France and Germany believe their organisation complies with data protection laws

October 6, 2014 |

It has been over 6 months since the amendments to the Privacy Act took effect.  While the Privacy Commissioner’s office has been reasonably active in publishing guidelines, releasing statements and handing down 3 determinations a robust use of the enforcement powers has not been in evidence yet.  That may be consistent with the softly, softly then gradually escalating model as set out in its statement The OAIC’s enforcement approach to new privacy laws from 12 March 2014 which relevantly provides:

Central to the OAIC’s enforcement approach is an escalation model that includes a range of regulatory responses.

Individuals will continue to have the right to make a complaint to the OAIC and we will deal with these according to our usual processes. That is, in the first instance, in the case of individual complaints we would expect to see a person try to resolve a matter with the organisation or agency first. If the respondent is a member of a recognised External Dispute Resolution scheme, we would also expect the individual to have first accessed that scheme. If a matter is accepted by us, we will always attempt to resolve issues through conciliation. In relation to Commissioner initiated investigations the OAIC will work with respondent organisations and agencies to resolve the matter.

However, where conciliation or working with entities is not effective, we may use our other tools, including determinations, enforceable undertakings or in the case of serious or repeated breaches, initiating court proceedings for civil penalties. This is consistent with our current practices and the approach of the OAIC for some time.

A recent sophos survey found that in the 3 largest EU countries there is a real concern about compliance with current data protection laws.  The survey is reported in European firms far from ready for new data rules, study shows. Europe has a longer history of  data protection legislation with more comprehensive and stronger enforcement powers that Australia. It is a reasonable assumption that compliance in the private sector is not any better than the UK, France and Germany.  The culture is not as ingrained and the regulatory history not nearly as proactive.

The article provides:

As European authorities aim to ratify revised data protection legislation by the end of 2015, many firms will have a lot of work to do to comply, a study has revealed.

If all goes according to plan without any more deadline slips, European firms will have to comply with the reviewed laws some time in 2017, following a two-year implementation phase.

However, despite 84% of 1,500 office workers polled in the UK, France and Germany saying Europe needs stronger data protection laws, 77% are not confident their organisations comply with current rules.

This means only 23% were completely confident their organisations complied with current legislation, according to the survey commissioned by security firm Sophos.

While 91% of respondents had at least one safeguard in place when it came to protecting personal data, only 59% had antivirus protection.

Almost half said their organisation either did not have a data protection policy in place, or had not told employees about one.  

The survey, aimed at gauging professionals’ understanding of data protection ahead of the proposed EU reforms, showed knowledge and awareness of data encryption is low.

A fifth said their organisations are not encrypting personal data, while a quarter said they did not know if their organisation was using data encryption, and 7% admitted not knowing what encryption was.

Again, only 23% could confirm their organisations encrypted employee and customer data.  

The report also examined user attitudes to mobile device security, with 98% agreeing the data is to an extent more important than the device itself.

However, a quarter confessed to storing corporate information on their personal laptops and mobile phones, with 19% revealing they had lost a personal or mobile device.

When it came to securing mobile devices, the majority (64%) said their organisations implemented passwords to secure mobile devices.

However, only 31% of those with company phones were able to confirm they were encrypted, compared with 51% confirming their company laptops were encrypted.

The UK had the highest percentage of encrypted company laptops – 62%, compared with 36% in France and 56% in Germany.

The UK also had the highest percentage of encrypted company mobiles – 41%, compared with 21% in France and 32% in Germany.

This disparity between encryption on mobile phones and laptops highlights the continued willingness to accept mobile phones as a risk, according to the study report.

The majority of respondents agreed information was the most valuable asset, with 95% saying they need to share, send and access corporate data from any device or location in order to work effectively.

But the survey showed two thirds of respondents do not always check whether the data is safe to share, and little more than two thirds said to share data easily, they were willing to use personal cloud services to circumvent company IT restrictions and policies.

Attitudes to cloud storage differed in each country. Overall, 31% said their organisation allowed them to use cloud storage solutions – like Dropbox – in the workplace.

However in the UK this increased to 44%, with only 27% allowed in France and 23% in Germany.

A further 11% were not allowed to use cloud storage solutions, but said they did so anyway.

The survey showed UK respondents are also more likely to share data in the cloud – 52%, compared with 40% in France and 34% in Germany.

Overall, 61% of respondents said it was important to have stronger laws on data protection governing all European countries. This broke down to 54% in the UK, 68% in France and 62% in Germany.

There were also differences in opinion between the three countries with regard to the security of personal data, with France (86%) more concerned than the UK (78%) and Germany (74%).

Only 29% of respondents in Germany were concerned about cyber criminals getting hold of data, compared with 49% in France and 45% in the UK. Additionally, 76% of respondents in France were more concerned about the security of corporate data, compared with 62% in the UK and 59% in Germany.

Interestingly, 60% of employees in the UK – compared with 43% in France and 50% in Germany – said their organisation had a data protection policy and it had been clearly communicated, with employees in larger organisations more likely to be aware of data protection policies.

Data protection reform a step in the right direction

“Although there is still some fine-tuning to be done to the proposals for reformed data legislation in the EU before they can become law, the core principles are unlikely to change,” said Anthony Merry, director of data protection at Sophos.

“All in all, we see this as a positive step in the right direction to bringing all member states under a single set of rules appropriate for the modern, digital world,” he said.

The current data protection directive dates from 1995, but there have been many changes since then, such as widespread use of smartphones and enterprise adoption of cloud-based services.

At the very least, Merry believes the new legislation will achieve the goal of raising awareness about the importance of data protection.

“Many of the companies I talk to still do not understand what data protection is, why businesses need to do it and why it is important, and that needs to change,” he said.

With the proposed fines of up to 5% of global turnover, or €100m, he believes the planned data protection laws will help focus the attention of business executives on the issue.  

Mandatory breach notifications will force companies of all sizes to think more carefully about data access, according to James Lyne, global head of research at Sophos.

In particular, he said it will force small-and-medium enterprises (SMEs) to limit access to the data employees need to do their work, instead of full access to everything by anyone on the company network.

“The new laws should result in greater data segmentation, more use of encryption and more groups of data with policy around them,” said Lyne.

SME-friendly data protection legislation

But while it will force SMEs to report all data breaches, it will also be more SME-friendly by requiring data protection authorities to help companies hit by breaches to deal with the impact.

“The proposed legislation allows for more help and support for organisations hit by data breaches than the current legislation in the UK,” said Lyne.

“The new laws are aimed at encouraging organisations to report breaches as quickly as possible by offering reduced liability and support in mitigating the effects of a breach,” he said.

Lyne hopes the new laws will encourage SMEs to choose a security standard to implement and seek professional advice to ensure they are following best practices.

“This approach means that if they are hit by a breech, they are more likely to be supported as a victim, rather than being fined for being negligent though failing to take appropriate measures,” he said.

The proposed legislation, he said, will go a long way to ensure businesses are not failing to take basic security measures to ensure data is protected.

Encouraging data encryption

The reviewed legislation is also likely to help drive encryption of data, said Merry. “If data is encrypted, even it if IT systems are breached, companies will not be liable under the law,” he said.

Encrypting data will also mean even though organisations will have to report a data breach, they will not have to notify individuals that their data has been compromised.

While continual data breach notifications may result in notification fatigue, Merry said the overall effect is likely to be an increase in awareness of the issue by companies and consumers.

“This means consumers are more likely to transact with businesses they feel they can trust with their personal and financial information,” he said.

Another positive effect of the proposed legislation is that it will force all companies that hold the data of EU citizens to offer better protection, even US-based companies.

Lyne said cyber crime is transnational, but laws still tend to be national. However, the proposed EU data protection laws will go some way to changing this by bringing the law more in line with real-world practice.

One Response to “Sophos survey reveals fewer than a quarter of staff in UK, France and Germany believe their organisation complies with data protection laws”

  1. Sophos survey reveals fewer than a quarter of staff in UK, France and Germany believe their organisation complies with data protection laws | Australian Law Blogs

    […] Sophos survey reveals fewer than a quarter of staff in UK, France and Germany believe their organisa… […]

Leave a Reply