GDPR increased cyber security in the UK but more needs to be done, says research from RSM

Most organisations have introduced new or improved cyber risk management in the last three years, with GDPR cited as the main factor for change (23 per cent of respondents), according to research of 1,200 companies carried out by RSM's Economic Consulting team for Department for Digital, Culture, Media and Sport (DCMS).

GDPR is working within its remit but the evidence suggests that it has not impacted all aspects of cyber security equally. More improvements were reported in relation to governance, risk management, data security and systems security, while less change was evident in relation to procurement and supply chain risk management. Organisations were also more likely to have made changes to data protection than other aspects of cyber security (71 per cent of respondents introduced new or improved data protection policies, while only 62 per cent introduced or improved other information security policies).

Jenny Irwin, RSM’s economic consulting partner said: ‘Cyber risk has been heightened by the coronavirus across every organisation as we rely more on remote working and digital which opens up more areas of exposure. The findings show that GDPR has successfully encouraged improvements in cyber risk management for organisations within scope of the regulation, however companies do need to review practice and policies as a priority.’

‘Recommendations for the current DCMS review of cyber and regulatory landscape include the need to encourage organisations to take a more holistic approach to cyber security, undertake Business Impact Assessments to understand the specific impact of a potential breach and accept it could happen; and tailor future guidance and incentives, taking account differences in organisation and linking security outcomes to key business goals.’

The research was commissioned by the Department for Digital, Culture, Media and Sport (DCMS), the research was supported by subcontractor BMG Research Ltd (BMG) and strategic advisors Professor Martin Sadler (University of Bristol) and Dr Geraint Price (Royal Holloway, University of London). Its findings informed DCMS’s review of cyber security regulations and incentives. The primary research included a survey of over 1,200 businesses, charities and Local Authorities representing a diverse range of industries across the UK.