Only one in four staff believe their company complies with data protection law

Out-Law News | 02 Oct 2014 | 5:23 pm | 1 min. read

Fewer than a quarter of staff at businesses in the UK, France and Germany think their organisation fully complies with data protection laws, according to a new study.

Cyber security company Sophos commissioned a survey of 1,500 office workers in the three countries and found that 77% of respondents were not confident that the company they work for adheres to data protection requirements.

The survey revealed that 60% of UK businesses have a clearly communicated data protection policy, compared to 50% in Germany and 43% in France. Larger companies are more likely to have a data protection policy, Sophos said.

Respondents also highlighted worries they have over the security of personal data their organisation is responsible for. Concern on this issue is greatest in France, according to the survey, where 86% of respondents expressed concern about personal data security in their organisation compared to 78% and 74% of respondents from the UK and Germany respectively.

Fear of cyber attacks leading to data breaches and concern for the security of corporate data was also greatest in France compared to in the UK and Germany, Sophos said.

According to the survey, more devices used for work purposes are encrypted in the UK than France or Germany. In the UK 62% of businesses encrypt laptops and 41% encrypt company mobile devices. In France, 36% and 21% of companies encrypt laptops and mobiles respectively. Fewer than a third (32%) of German businesses encrypt work mobiles, although 56% encrypt company laptops, Sophos said.

In the UK, the Information Commissioner's Office (ICO) has repeatedly warned organisations to ensure portable devices are encrypted. The watchdog has previously taken enforcement action against organisations that experienced a breach of personal data as a result of devices being unencrypted.

Sophos said that 64% of office workers surveyed said their employers require staff to input passwords to use work mobile devices.

Compliance issues relating to the use of 'shadow IT' were also identified by the survey. The term 'shadow IT' generally refers to the use of applications by employees where those applications have not been approved for use by the IT department or which have not otherwise been obtained in accordance with IT policies.

Sophos said 66% of office workers do not always check whether data held by a business is "safe to share", and 64% of respondents said they were "prepared to use shadow IT and personal cloud services to circumvent their organisations’ IT restrictions and security policies" to share data more easily.