42% of Irish businesses have no plan to handle data breaches

Ward Solutions has found that 42% of Irish businesses don’t have a crisis management plan to implement in the event of a data compromise. The finding was revealed in Ward’s 2017 Information Security Survey, which was carried out among 170 senior IT professionals and decision makers in Ireland.

The results of the survey commissioned by Ward Solutions indicate that many Irish organisations are unprepared for the new General Data Protection Regulation (GDPR), set to come into force in May 2018. Surprisingly, more than one-quarter (26%) of IT decision makers stated that they don’t know what GDPR is or have yet to start making preparations towards achieving compliance.

The need to achieve compliance is highlighted by the extremely severe fines that will be introduced under GDPR. Companies that suffer data breaches and are found to be non-compliant with the regulation will be liable to fines of up to €20 million or 4% of global turnover, depending on which is greater.

Despite the scale of the fines and the number of companies affected, the survey highlighted a lack of awareness of the GDPR at board level, with 31% stating that their directors are not aware of the extent of potential fines for failing to comply with the legislation. One in five stated that their directors are not even aware of the existence of such fines.

Almost three quarters (74%) of those surveyed said that their organisation collects personal data on Irish or European citizens, making them subject to the new law. However, 13% of organisations don’t know where personal data in their control is stored, something that they will need to be able to display an awareness of to achieve GDPR compliance. The survey also found that 45% of companies do not have the necessary in-house IT resources to achieve compliance, and will, therefore, be forced to seek the help of third party providers.

Pat Larkin, CEO, Ward Solutions, said: “It’s extremely worrying that with little over a year to go until GDPR comes into force, almost half of Irish businesses still don’t have a plan to deal with data breaches. The incoming penalties for failing to display compliance in the aftermath of a data breach are so significant that they could have a devastating effect on companies found to be non-compliant, both financially and in terms of reputational damage.

“The fact that nearly three-quarters of the organisations we surveyed said that they process personal data highlights just how many businesses will be affected by this legislation. However, Ward Solutions’ experience would indicate that the figure is actually higher again and that this response reflects the blind spot that many businesses have when they consider personal data. This is likely to be particularly significant to organisations in light of the new GDPR regime. Companies need to identify where data in their possession is stored and where it flows during processing.

“Much of our current GDPR activities are focused on helping IT staff communicate the risk and impact of the new regulation to the executive levels of their business. This is needed to garner support for work programmes geared towards achieving compliance.

“Irish businesses must act now to ensure compliance, and it is essential to their future viability that directors do not underestimate the workload that this involves. Those who don’t take the necessary steps now will find themselves competing with an increasing volume of Irish organisations, all seeking assistance from a limited pool of knowledgeable resources. This will result in them having to spend a lot more time and money than they bargained for to achieve compliance.”