New figures from cybersecurity firm CrowdStrike suggest many British firms aren’t reporting data breaches in a timely manner, as is required per General Data Protection Regulation (GDPR).
The company recently polled 500 decision-makers from the UK and found that less than half (42 percent) of those that had fallen victim to a data breach reported it to the relevant authority, the Information Commissioner’s Office (ICO).
GDPR, a regulation that was brought in three years ago, demands businesses report a data breach within 72 hours of learning about it. Even though the number of reported breaches rose in the past 36 months, many firms still chose to keep it quiet.
The report also highlighted how UK decision-makers feel about their organization’s cybersecurity posture. Almost half (46 percent) believe their business is a target, and two-thirds (67 percent) consider themselves prepared for the aftermath. At the same time, about a third (36 percent) have specific protocols prepared, in case of a breach.
In extreme cases, GDPR allows the communications watchdog to fine the company 4 percent of its annual global turnover, or 20 million euros, whichever sum is greater. Still, CrowdStrike claims, most businesses either don’t know, or underestimate this amount. Some don’t even think GDPR still applies in the UK since it left the EU.