Fewer than half of staff know what their company is doing to prepare for GDPR

by Egress
Published on 22nd May 2018

May 22, 2018

Egress Software Technologies has announced the results of its survey with OnePoll into how employees handle sensitive data in relation to GDPR. Looking at practices for non-legal and technical staff ahead of the General Data Protection Regulation (GDPR), the survey found that only 43 percent of the 1,000 respondents were aware of what their company was doing to prepare for the legislation, leaving well over half in the dark.

The survey also raised concerns about employee education when sharing sensitive data (a key requirement of GDPR) with one in 10 unaware they are handling personal data in their day-to-day jobs and 57 percent unable to correctly identify when it would need to be protected.

When presented with categories of personal data – such as addresses, phone numbers and email addresses, dates of birth, and financial information – and asked which information they would need to protect in an email attachment, only 43 percent correctly identified that all of the data would need to be protected. What’s more, 20 percent outright admitted that they didn’t know if any of it would need to be secured. Last week, the Information Commissioner’s Office released statistics showing that emailing personal data to the incorrect recipient was the most common data security breach in the UK between January-March this year, accounting for 15 percent of all breaches.

“Over the past two years, GDPR has been effective in pushing data protection up the boardroom agenda, and technology and compliance teams have been working overtime to make sure their organisations are ready,” said Tony Pepper, CEO of Egress. “However, data security doesn’t stop at their office doors.

“This survey shows over 50 percent of staff do not have a clear understanding of what their company is doing to prepare for GDPR, despite three-quarters of staff handling personal information on a daily basis. Combined with the ICO’s findings last week that human error accounted for the top five most common security incidents last quarter, this suggests a worrying disconnect between what organisations have agreed at a corporate level versus the communication and education of employees who will need to act out these changes. With GDPR only days away, organisations have a huge amount of work left to do if they are to ensure their staff don’t unwittingly put their businesses at risk.”

Employees are still sharing personal data over personal apps

The survey showed some organisations are making headway with their technical compliance, with 42 percent of employees provided with a way to safely share information at work, such as email encryption, encrypted file transfer or secure project collaboration tools.

Despite this, 20 percent of people admitted to using personal apps or web services to share company documents. Unsurprisingly, personal email led the charge on this with 12 percent of respondents choosing it as one way to quickly share documents, while other answers included social media (seven percent), messaging apps (seven percent) and personal cloud (three percent). This behaviour puts personal data at higher risk of unauthorised access and makes the organisation liable for a data breach under GDPR.

In this respect, the marketing department was the worst offender, with a huge 70 percent admitting to having used personal accounts – with social media being the most popular. This is especially concerning as employees in the marketing department were also most likely to handle personal data (96 percent of marketing respondents).

“Most of the time, employees aren't trying to put their company at risk,” said Tony Pepper. “They are just trying to get their job done, and often turn to personal apps and devices simply because they find them more convenient. However, this creates massive risk of non-compliance with GDPR, with organisations unable to track where data is stored and who is accessing it. The solution? Security technology that actually works for users. Only by putting users at the centre of the technology we develop and procure can we ensure they’ll use these tools to protect personal data. What’s more, these technologies can actually help to maintain employee productivity – providing no excuse for using personal apps and devices.”

Concluding the survey on a worrying note, only half (49 percent) felt that their company was doing enough to protect personal data in light of recent breaches.

It’s great to see some companies and specific departments clearly getting it right when it comes to GDPR awareness,” said Tony Pepper. “However, it’s concerning that this isn’t the case for more than half of the survey’s respondents. Awareness is a huge part of compliance: everyone who handles personal data should be able to identify and protect it. As the ICO’s data also shows, human error continues to account for a very high percentage of data breaches, so organisations need to be doing all they can to provide staff with security safety nets that prevent data breaches. This can only be achieved through a blend of awareness, training and getting the right security technology to support the day-to-day work staff are doing and the personal data they routinely handle.”


OnePoll surveyed 1000 UK employees working in a company with more than 100 employees, not working in IT/tech or legal department 19/04/2018 - 01/05/2018.

About Egress

As advanced persistent threats continue to evolve, we recognize that people are the biggest risk to organizations’ security and are most vulnerable when using email.

Egress is the only cloud email security platform to continuously assess human risk and dynamically adapt policy controls, preparing customers to defend against advanced phishing attacks and outbound data breaches before they happen. Leveraging contextual machine learning and neural networks, with seamless integration using cloud-native API architecture, Egress provides enhanced email protection, deep visibility into human risk, and instant time to value.

Trusted by the world’s biggest brands, Egress is private equity backed with offices in London, Sheffield, Cheltenham, New York, Boston, and Toronto.