Amsterdam, NL - 11th December 2019 - One-third of Dutch employees do not know whether measures have been taken within their company to comply with GDPR requirements, despite the fact that this legislation has been in force for more than a year and a half. While some companies invest in training for their employees, on the whole Dutch organisations fell short, as highlighted by the face that 32% of employees don't know whether a business email encryption solution is available to them.
These results were highlighted a study commissioned by Egress, a provider of human layer email security solutions, and conducted by Markteffect among more than 250 Dutch employees.
'Regular' employees are less well-informed
Although in many organisations employees, their behaviours and the actions they take are at the center of GDPR policy, the study showed a lack of awareness among employees. It seems that those responsible for information security within organisations have a predictable greater awareness of GDPR policy, but that this knowledge is insufficiently shared with the wider staff group. For example, the percentage of people with final and co-responsibility who indicated that an email encryption solution is available within their organisation is significantly higher than that of non-responsible persons: 75% versus 33%. And where almost half of those not responsible for GDPR policy don't know whether the legislation has caused changes in the way their organisation shares information, only 10% of 'responsible' employees are unaware.
Almost 16% of all respondents indicated that company data or company-sensitive information has been accidentally made public by someone within their organisation. Here too, a clear difference can be seen between employees responsible for information security and non-responsible persons: 32% compared to 7%, which indicates that by no means all data breaches are reported by companies to their staff. The record number of data breaches that have already been reported to the Dutch Data Protection Authority this year also supports this conclusion.
On the positive side: the results also show that half of employees are aware of the policy changes that have been implemented as a result of the GDPR legislation. In the majority of cases (52%), this involves training employees. Almost 55% of the respondents also indicate that information security for more employees within the company has become part of their normal working duties.
Discrepancies within organisations
Axel van Drongelen, Benelux General Manager at Egress, said: “The research clearly shows that there's a discrepancy between the policy outlined by organisational leaders and the interpretation by the staff who are expected to implement this policy. Employees who are not responsible for information security, for example, are much less aware of the danger that irresponsible handling of company-sensitive data entails. This is evident, for example, from the fact that respondents who are responsible for information security more often indicate that unconscious data breaches arise via external tools such as WeTransfer or FTP services. This indicates that employees are looking for ways to circumvent security measures, also because there is more frequent use of an email encryption solution. They therefore do not consider the risks of their behaviour."
Van Drongelen therefore argues for creating even more awareness among employees: “If you don't know that you're doing something wrong, you cannot improve your behaviour. It's positive to see that many companies invest in training for their employees when it comes to sharing information. At the same time, it appears that much more awareness is needed to reduce the danger of unconscious internal data breaches."
Biggest fear of data breaches is within healthcare
The study also looked at the differences between sectors, such as healthcare, financial services, public sector and commerce. Healthcare employees appear to have the greatest fear of unconscious internal data breaches, with 32% saying this is the greatest threat to IT security. This is considerably higher than the overall survey average of 23%. Since the healthcare sector is also a leader in the reporting of data breaches to the Dutch Data Protection Authority, this fear does not seem unfounded. Commercial service employees score slightly above average with 23%.
Employees at financial institutions are most GDPR aware, with 81% of the respondents working in this sector indicating that changes have been made as a result of the legislation. In the government and healthcare sectors, this drops to 50%. Accidental leakage of personal or business-sensitive information within healthcare is of concern to 20% above average, which can be attributed to the fact that personal information is more often shared externally via email (60% versus 49% on average).
Van Drongelen: “Healthcare is pre-eminently a sector where a lot of personal information is exchanged. But here too we see that more than a quarter of the employees do not know whether the policy for sharing information has changed as a result of GDPR. Also striking: almost 15% of healthcare workers believe that their company is not at all risk when it comes to IT security. This also indicates a lack of awareness."
The full report will be available in January 2020