State of the Industry Information Security

2018 UNITED KINGDOM

Business is evolving, and data protection practices must evolve with it.

2018 STATE OF THE INDUSTRY REPORT | United Kingdom

Introduction 3Situation Analysis 4Security Tracker Infographic 6The Evolving Workplace 7Physical Safeguards: People and Places 10GDPR Readiness 11Addressing Growing Consumer Concerns 13Ask the Expert 15Trends in Legislation and Consumer Sentiment 17Summary 19

1

Amid growing societal concerns about privacy and the introduction of a major legislative overhaul, business leaders need to reassess how they protect their customer data from potential security risks and breaches.

2018 STATE OF THE INDUSTRY REPORT | United Kingdom 2

Every year, Shred-it’s State of the Industry Report helps businesses understand the risks they face in a world dominated by technology. The report draws on the detailed findings from the annual Shred-it Information Security Tracker, an in-depth targeted research study conducted on behalf of Shred-it by Ipsos. The 2018 Security Tracker study provides global insight on information security policies and procedures among Small Business Owners (SBOs) and C-Suite Executives (C-Suites) in the UK.

This outlook gives readers insight into emerging risks and highlights how British businesses of all sizes prioritise data protection and information security. The 2018 State of the Industry Report reveals a number of common themes and emerging challenges, including:

The GDPR Storm:

Europe’s General Data Protection Regulation (GDPR) is in effect as of May 25, 2018, affecting businesses all over the world. Businesses across the UK have been encouraged to seek legal advice, as well as updating policies and procedures, while the Information Commissioner’s Office, responsible for enforcement in the UK, is offering support. Shred-it’s Security Tracker shows that, on specific, commonly recommended actions for GDPR compliance, companies both small and large have not taken action and many were still ignorant of the legislation as the deadline approached.

Evolving Work Styles:

As working from home and open-concept offices become increasingly popular, businesses are put at greater risk of data breaches caused by human error. To mitigate this risk, they will have to adapt their security measures and keep up with changing workplace standards. Half of large British companies report employees losing devices like company mobile phones and laptops, both of which would now need to be reported to the ICO if the devices included people’s personal information.

Employee Training:

The vast majority of UK businesses believe that employee negligence plays a major or moderate role in data security breaches, yet most do not provide staff with regular training on information security procedures. Ironically, many businesses still place responsibility for data security on their employees and large numbers of businesses that have suffered data breaches have terminated employees’ contracts for negligence.

Data Breach Rate:

A third (33 percent) of large company C-Suite executives report having experienced a data breach. C-Suites were ten times more likely to have experienced a data breach with only 3 percent of SBOs reporting the same. SBOs are significantly more likely to state categorically that they have not experienced a data breach (94 percent vs. 62 percent of C-Suites).

Consumer Concerns

Businesses’ customers are becoming more concerned – and more savvy. Our research shows British consumers place high importance on data protection when deciding which bank to use, where to buy a car, which hotels to stay in and even where to work.

Falling victim to a data breach can be devastating to a business of any size. Financial loss, reputational damage, and loss of customer trust are only some of the long-lasting effects of a breach.

To learn how you can protect your company, people and customers from fraud, visit the Shred-it Resource Centre at: Shredit.co.uk/resource-centre

Introduction

3

Widespread agreement about the risks posed by employee negligence has not focused leaders on employee training, leaving British businesses at risk of data breaches.With the European General Data Protection Regulation (GDPR) in effect as of May 25, 2018, British companies now have even more legislation dictating the way they gather, store and handle data. The Information Commissioner’s Office and the Government have made clear that the UK will adhere to GDPR, even post-Brexit in April 2019. The UK’s Data Protection Bill received Royal Ascent and became an act of parliament just two days ahead of the GDPR deadline.

However, Cambridge Analytica’s mishandling of Facebook users’ data has also sparked discussion and debate about how businesses collect, use and share data relating to individuals. British politicians were furious about the scandal and the response of the protagonists, adding to an already fractured relationship with large tech firms thanks to concerns over illicit material being shared on social networks and tax arrangements that are not favourable to the UK exchequer.

Perhaps understandably in this context, the ICO has sought to reassure British firms that it will be collaborative in helping them ensure compliance with the new regulations, and its enforcement initiatives are particularly targeted towards large tech firms processing a lot of user data. However, GDPR and the related Data Protection Act 2018 represent the third generation of data protection law in the UK, and the clear picture coming out of this research is that businesses are found wanting in many areas.

For example, Shred-it’s 2018 Information Security Tracker shows that British bosses consider employee negligence

one of the biggest threats to their information security. The vast majority of C-Suites (88 percent) believe that employee negligence is one of the biggest information security risks to their organisation, and half (49 percent) of small businesses feel the same. More than half of large businesses (55 percent) that have suffered a data breach pinpoint the cause as employee negligence and nearly a third of large businesses that have suffered a data breach (30 percent) have terminated an employee as a result.

However, UK PLC is not focused enough on employee training. Just over half (55 percent) of large businesses have trained their employees on the use of public Wi-Fi and only 70 percent have provided training on identifying fraudulent emails (the latter was the highest rate among any critical security training). The situation is graver within smaller businesses with just a quarter (27 percent) having provided training on the use of public Wi-Fi and a third (33 percent) having offered training on identifying fraudulent emails. Overall, just 46 percent of SBOs offer any key employee training.

In addition, given GDPR is in the front of everybody’s minds it is surprising that only two-thirds (66 percent) of large British businesses and 26 percent of small business owners have offered their employees specific GDPR related training. The lack of ubiquitous training suggests that a large proportion of the British workforce is not appropriately trained for the kinds of safeguards necessary under GDPR.

Indeed, our data shows that training is sorely needed. One in four (27 percent) employees studied as part of the Security Tracker research confessed to leaving work documents or notebooks on their desk, while one in six (16 percent) leave their computer on and unlocked when they leave work for the day.

Situation Analysis

2018 STATE OF THE INDUSTRY REPORT | United Kingdom 4

British companies now have even more legislation dictating the way they gather, store and handle data.

5

Shred-it® is a Stericycle solution. © 2018 Shred-it International. All rights reserved.

Learn more about how you can protect your data.0800 197 1164 | shredit.co.uk/resource-centre

S E C U R I T Y T R A C K E R 2 0 18 U K

Have employees who work remotely:

UK BUSINESSES THAT...

Trust their employees are doing everything they can to safeguard sensitive physical/digital information while off-site:

Agree the risk of a data breach is higher when employees work remotely:

Employers must take steps to protect against breaches when employees take sensitive data off-site.

Believe remote work will become even more important in the next fi ve years:

REMOTE WORK EXPOSES BUSINESSESTO RISK

ALL SECTORS MUST PRIORITISE DATA PROTECTIONConsumers say data protection is important when choosing:

Which bank to use

86%Their place of employment

75%At which hotel to stay

69%From which dealer to buy a car

70%Which legal fi rm to hire

76%

Sensitive items lost or stolen while employees were working off-site(according to C-Suite bosses):

C-SUITES SBOs52%

of96%of

C-SUITES SBOs

66%of90%

of

C-SUITES SBOs

92%of89%

of

C-SUITES SBOs

60%of83%

of

COMPANY MOBILE PHONE

COMPANY LAPTOP

ELECTRONIC STORAGE DEVICE

SENSITIVE PAPERS

50%

45%

41%

35%PERSONAL

2018 STATE OF THE INDUSTRY REPORT | United Kingdom 6

As companies continue to evolve the way they do business, working styles are also changing and adapting to industry trends. Working remotely or in an open-concept office can benefit both employers and staff, but business leaders should adapt information security protocols to mitigate any additional risks from these work environments.

Remote WorkWorking remotely has increased in popularity over the last few years – and it has never been easier. Whether employees consider their living room a permanent office or need to spend a few days at home to take care of a sick child, increased connectivity and technological advancements make it possible to work from almost anywhere. As of 2018, the vast majority of large businesses in the UK (96 percent) and more than half of small businesses (52 percent) reported employees using off-site or flexible working models.

Offering a flexible working style benefits employers, allowing them to attract top talent without geographical or time constraints. Working remotely can also increase productivity, letting employees focus on important work without being interrupted by colleagues or being distracted by general office mayhem. Most C-Suites in the UK (90 percent) believe that the option to work remotely will become increasingly important to their employees over the next five years, as do two-thirds (66 percent) of small business bosses.

In their eagerness to implement this model and benefit from employees working off-site, many employers have failed to adjust their data protection policies for exposure to new potential risks. Nine in ten (89 percent) of British C-Suites say they trust their employees are doing everything they can to safeguard sensitive information when working off-site, but around half of C-Suite leaders report that employees have lost company mobile phones (50 percent) or company laptops (45 percent) while working off-site.

The majority of C-Suites in the UK (75 percent) do have policies for storing and disposing of sensitive data for employees working off-site, but a quarter (22 percent) confess that not all employees are aware of these

policies and another quarter (23 percent) admit they do not have a policy at present. Small businesses fare worse, with less than half (43 percent) of bosses stating they do not have a policy in place at all. The issue may be further confused if employees do not understand what constitutes sensitive data. Information security policies should clearly define what is considered sensitive data, and businesses should ensure this is emphasised during regular training.

Employees working remotely can expose businesses to both physical and digital breaches, so it is important to have policies and safeguards in place. Businesses need to address these added security risks with proper training, policies and enforcement mechanisms. With 95 percent saying they audit their security procedures and policies at least once a year, these audits could be a good opportunity for business leaders to investigate extra precautions with off-site workers.

Open-Concept OfficesOften sleek, modern and technologically advanced, open-concept offices have become increasingly popular in the last few years. This set-up is said to increase collaboration, but it also increases the risk of data breaches. Fewer doors mean fewer locks and therefore fewer opportunities for safeguarding sensitive documents, both electronic and physical.

In open-concept workplaces, sensitive information is often on display with nothing stopping prying eyes from peeking at confidential data. When modernising their working environments, employers should take precautions to mitigate the increased risks of open offices. The best way to do this is to have solid policies in place and provide thorough and regular training to employees.

In addition to policies on storing and disposing of confidential data and end-of-life electronic devices, employers can encourage employees to take security into their own hands. A Clean Desk policy, for example, would require employees to keep sensitive or confidential information out of sight – in a locked drawer or cabinet, for example.

The Evolving Workplace

7

Over 80%of C-Suites believe the risk of a data breach is higher when employees work off-site.

2018 STATE OF THE INDUSTRY REPORT | United Kingdom 8

Many businesses are not training employees in critical physical information security areas.

9

With so much information now stored digitally, it is easy to think that strong IT defences are enough to keep your data protected. There are other ways to gain access to confidential data, however, and they do not involve a hacker behind a computer screen. Physical data protection measures should be top-of-mind for businesses collecting and handling sensitive information. This includes having a good alarm system and security cameras, keeping file cabinets locked, properly disposing of sensitive documents and old hard drives, and having a policy for mobile devices.

However, it is not enough to have strong digital and physical protections in place to safeguard your sensitive information. If employees are not properly trained to mitigate risks, businesses could be exposing themselves to potential breaches. The overwhelming majority of large British businesses (93 percent) provide some form of training on physical information security to their employees, but only 46 percent of SBOs report doing the same. In both cases, large proportions are not training in critical areas.

The following percentages are training employees on these specific areas:

» Identifying fraudulent emails - 70 percent of C-Suites, 33 percent of small businesses

» Reporting a lost or stolen electronic device – 65 percent of C-Suites, 24 percent of small businesses

» Keeping sensitive information out-of-sight when working in a public space – 57 percent of C-Suites, 30 percent of small businesses

» Using public Wi-Fi – 55 percent of C-Suites, 27 percent of small businesses

Business processes around physical confidential or sensitive documents are also highly important to ensuring data protection, yet success in this area is mixed. C-Suites are over four times more likely to work at an organisation with a locked console and professional shredding service for confidential documents compared to SBOs (31 percent versus 7 percent). While this is best practice for handling printed confidential information (which is equally subject to GDPR), both C-Suites (-16 pts) and SBOs (-3 pts) are significantly less likely to indicate that their organisation has a locked console in their office than they were last year, showing a worrying decline.

Secure Physical Access to InformationInside the office, make sure you store confidential information in locked cabinets, storage rooms or in password-protected files. Implementing a Clean Desk policy, which requires all employees securely store documents and devices when they are not at their desks, is a great way to ensure sensitive information stays out-of-sight. Encourage employees to keep sensitive data in digital form only. If it is necessary to keep hard copies, ensure they are destroyed properly when they are no longer needed.

Evaluate Third-Party Access to Confidential InformationMany third parties require confidential information to provide services. In 2018, 60 percent of breaches reported by C-Suites and 71 percent of those reported by small businesses could be attributed at least in part to an external vendor or source. Audit your third-party security and privacy policies, and ensure they have clearly established contractual obligations to notify you in the event of a data breach.

Develop a Corporate Mobile Device PolicyWith flexible work models and variable hours becoming the norm, employees are more likely than ever to have confidential information stored on their mobile devices. Once those devices leave the workplace, employers often lose track of what happens to them. Create a Mobile Device policy that helps control the use of these devices.

Properly Dispose of Old Hard DrivesConfidential information remains on a hard drive even if the data has been erased, deleted or reformatted. Thieves can use specialty software to recover data even if the original user deleted it from a device. Hard drives and other electronic materials containing confidential information should be securely wiped or destroyed.

Physical Safeguards: People and Places

Implement these physical safeguards to protect your data:

2018 STATE OF THE INDUSTRY REPORT | United Kingdom 10

The General Data Protection Regulation (GDPR) came into effect on May 25, 2018 and will have repercussions for any business handling data on individuals located anywhere in the EU. All of the signs point to businesses having a long way to go to be fully compliant with GDPR, but efforts are underway.

Shred-it’s Security Tracker data showed that just a month before the deadline, a quarter (22 percent) of small business owners were totally unaware of the forthcoming General Data Protection Regulation. According to the study, London-based businesses were much more aware than those in other regions, with just 12 percent stating that they were not at all familiar with GDPR, compared with much higher figures in the Midlands (30 percent), the North (23 percent), Scotland (20 percent) and Wales (17 percent).

As well as documenting the gap in understanding, the research also shines a light on practices that could put organisations in breach of GDPR requirements if not properly handled, including the frequency of lost devices (see page 7), and how far businesses have come on the specific areas of preparation that advisers have been urging. While there’s been a lot of focus on email subscriptions, many businesses are a long way behind in other critical areas of preparation. For example:

» Just 46 percent of large businesses have reviewed policy notices, 17 percent of small businesses.

» Just 44 percent of large businesses have documented the lawful basis for data processing, 19 percent of small businesses.

» Just 44 percent of large businesses have assigned a data compliance officer, 17 percent of small businesses.

» Just 39 percent of large businesses have updated procedures for detecting, reporting and investigating a data breach, 15 percent of small businesses.

None of these specific areas of preparedness has been addressed by more than half of large companies, and only one area has been addressed by more than a quarter of small businesses. This represents an alarming gap and one that needs to be addressed before businesses lose focus.

Businesses need to take a holistic approach to data security and privacy. By incorporating information security into all aspects of their operations, business leaders can help create a global environment in which data risks are minimised and consumers trust companies with the information they need to deliver products and services.

GDPR Readiness

11

What is GDPR? GDPR is a legally-binding set of guidelines for collecting and processing the personal information of EU residents. While governing the way that data is handled, GDPR also gives individuals greater control over their own information.

Who does it affect? GDPR affects any company, individual or organisation that collects or handles the personal data of the residents of any EU member country.

What is personal data?Under GDPR, personal data is defined as anything that allows the identification of a living person, directly or indirectly. Some examples include, names, phone numbers and both physical and IP addresses.

What does this mean for my business? GDPR demands data protection by design and by default. In short, data protection should be fundamental to your operations and should be incorporated into all business processes for the products or services you provide.

Ideally, you would collect as little data as possible and keep it separate from information about customers from non-EU countries to minimize risk.

A big part of GDPR is giving consumers easier access to data collected about them and erasing their data if the consumer requests this, which they may do in a number of situations – including if it is in the interest of their fundamental rights and freedoms. To comply with this, you need to ensure that you have a comprehensive data management system in place that can identify and carefully document that data.

GDPR also outlines a strict procedure in the event of data breach. If you experience a breach, you are under legal obligation to disclose it within 72 hours unless the breach is unlikely to pose a risk to the individuals’ rights and freedoms. Fines for failing to comply can reach up to €20 million.

If you need to brush up on GDPR, here is a summary:

2018 STATE OF THE INDUSTRY REPORT | United Kingdom 12

The British general public is increasingly concerned over the security and privacy of their data. In 2018, 33 percent of C-Suites report that their organisations experienced data breaches. Out of those who experienced breaches, one of the biggest consequences reported is harm to the organisation’s credibility and reputation. It can take a long time for businesses to recover from data breaches. With fewer staff and resources, small businesses usually take a harder hit: 72 percent of SBOs in the UK say it took their businesses more than six months to recover, while 7 percent say they never fully recovered.

Consumers are getting savvier and more informed about data security issues following a number of high-profile breaches and instances of improper data handling – like the Facebook and Cambridge Analytica incident. British people have started demanding better protection and more information about how their data is being stored, distributed and used. To prevent long-term financial and reputational harm, businesses should listen to these concerns and take steps to address them.

Addressing Growing Consumer Concerns

Some sectors may have more work to do than others. Consumers say data protection is important to them when making big decisions like:

Choosing a bank

Picking a legal firm

Taking or keeping a job

Choosing a car dealer

Choosing a hotel

86% 79% 76% 70% 69%

13

Internally, businesses should take all appropriate precautions with consumer data. This includes having comprehensive policies in place to protect data and address breaches if they occur, and regularly training employees on how to follow those policies. Externally, organisations should ensure that users or customers are told and understand both how their data is being used and what safeguards the organisation has in place to protect that information.

By addressing consumers’ concerns about the way businesses handle sensitive information and communicating the shared responsibility of consumers to safeguard their data, British businesses can also protect themselves from the financial and reputational consequences of breaches.

Part of protecting consumers can also mean educating them about how to minimise risks to their own information. The average person can help safeguard their data in a few simple ways:

Using high-strength passwords for all electronic devices and online accounts

Locking phones and computers when they are not being used

Never leaving laptops or mobile devices unattended in public spaces

Always logging out of websites and accounts on shared or public computers

Safely disposing of end-of-life electronics and data storage devices like USB drives

1 4

2

3

5

2018 STATE OF THE INDUSTRY REPORT | United Kingdom 14

Ask the ExpertMarcus ClaydenMarcus Clayden is an Associate in Burges Salmon’s Technology and GDPR team. Marcus has particular experience of advising clients in the energy and financial services sectors on a full suite of technology, outsourcing, privacy and broader commercial matters and regularly presents at conferences and contributes to publications on GDPR and other IT law issues.

Marcus’ practice focuses on technology-related transactions, including the outsourcing and procurement of technology products and services, software development and licensing, e-commerce issues, digital marketing, data protection and privacy issues..

GDPR is often referred to as a ‘game-changer’ and that’s correct, but why?

MC: GDPR has introduced a single set of rules governing how European citizens’ data is used. It addresses the impact of cultural, social and technological changes, such as cloud computing and social media and, for the first time, it imposes legal obligations on data processors.

The effects of GDPR will be far-reaching. All organisations will need to review the ways in which they deal with data and respond to the increased compliance requirements accordingly.

What effect will GDPR have on businesses that operate internationally?

MC: GDPR has extra-territorial scope which means it looks to apply European data protection principles to certain organisations operating overseas.

If your organisation transfers personal data outside of the European Economic Area or you have suppliers or storage systems which may transfer data internationally you need to ensure that you comply with the data transfer regulations under GDPR. GDPR allows transfers to individual territories or sectors outside of the EEA if they

have been deemed adequate or if there are adequate safeguards in place for data protection.

Since the Edward Snowden / NSA revelations, those kinds of transfers to organisations in the US have received particular attention. The Privacy Shield is a framework which governs and legitimises transatlantic data flows between the EU and the US. Towards the end of 2017 the European Commission completed its first official review of the implementation and effectiveness of the Privacy Shield and considered that the Privacy Shield provided an “adequate” level of protection for personal data.

Subsequently, A29WP, the data protection working party that provides the European Commission with independent advice, published its own report. In it, the A29WP complements the “efforts” made by US authorities but also details its lengthy list of required improvements. Such improvements include more guidance on the commercial aspects of the Privacy Shield and more detailed analysis to determine how data is collected for national security purposes. Should A29WP’s concerns fail to be resolved, it will seek a preliminary ruling from the CJEU regarding the Privacy Shield’s adequacy decision with the intention of the Privacy Shield being declared invalid.

Each transfer of personal data that is not GDPR-compliant could result in a fine of up to 4% of your organisation’s worldwide annual turnover. Therefore, whilst a response from the Commission could be some time away, organisations that operate with the US should keep up to date with developments in this evolving area.

15

What does GDPR reveal about wider trends in data protection?

MC: GDPR is an example of governments’ increased focus on sanctions to enforce security objectives. Other examples include:

The Network and Information Systems Directive

Various cyberattacks made the headlines in 2017, such as the NHS WannaCry ransomware attack and threats from state-sponsored hackers, and this has continued into 2018. Against this backdrop, cybersecurity is on the global political agenda and has been for some time.

The Network and Information Systems Directive (NIS Directive), implemented into national law across Europe earlier this year, is a key part of the legislative package to implement a baseline for cybersecurity across member states. The NIS Directive requires that operators of ‘essential services’ (such as utilities and digital infrastructure providers) will need to increase the security of network and information systems. As with other legislation (such as the Bribery Act 2010 and Modern Slavery Act 2015), there is an onus on providers to ensure compliance through their supply chains.

e-Privacy Regulation

The Commission is also updating existing law to cover instant messaging, web-based email, metadata, cookies, direct marketing and online marketing by way of the new e-Privacy Regulation (expected later in 2018). It gives individuals and businesses specific rights that are not covered in the GDPR, for example, the right of confidentiality and integrity of a user’s device (e.g. smart phones and tablets). The fines reflect the higher GDPR levels: the more serious infringements have penalties which equate to the higher of €20 million or 4% of the total annual worldwide turnover.

What opportunities are there for business?

MC: Updating and standardising data protection across the EEA has the advantage that business can focus on a more streamlined regime. Whilst the various legislation changes introduce complexities now, implementing effectively GDPR and the requirements flowing from these other changes in regulation within your organisation can differentiate you in terms of consumer confidence and put you on the front foot as you market your security credentials.

2018 STATE OF THE INDUSTRY REPORT | United Kingdom 16

Since news broke that Cambridge Analytica misused Facebook users’ data, many print and online publications have started pushing readers to protect their own data in any way they can — but users can only do so much. The internet’s rapid takeover of commerce and communications erased national borders years ago, so it makes sense for data protection laws to evolve accordingly.

GDPR Leading this evolution is the European General Data Protection Regulation (GDPR). As one of the most significant changes in European data legislation in over 20 years, GDPR came into full effect on May 25, 2018 after a two-year transition period. These new rules aim to protect the data of European Union residents and give them greater control over their personal information. Though GDPR is considered a European law, any country accessing the data of EU citizens must adhere to it.

At the heart of the GDPR legislation are requirements to protect people’s personal information meaning a greater focus on encrypting digital information, safer practices in handling sensitive hard copy documents, and establishing policies around the storage and deletion of both.

The ICO has produced an information guide for businesses which can be found on their website. You can also read more advice from Shred-it at the following site: www.shredit.co.uk/en-gb/gdpr

Data Protection Act 2018GDPR gives member states limited opportunities to make provisions for how it applies in their country. As such, one of the key provisions of the UK’s Data Protection Act 2018, which became law on the eve of GDPR enforcement beginning, is to make clear how the EU regulations apply in the UK. The ICO recommends that GDPR and the DPA be read side by side.

The DPA 2018 is an essential step in the Government’s bid to maintain the free flow of data with the European Union after Brexit. It sets the stage for an adequacy agreement where the European Commission would recognise Britain as having equivalent data protection standards.

However, the Data Protection Act is not just about GDPR and includes specific new measures around issues relating to immigration and the activities of the intelligence services, for example. Privacy rights groups have criticised these provisions and divergence from the EU’s GDPR and suggested that they might threaten the free flow of data after Brexit.

Trends in Legislation and Consumer Sentiment

17

ICO EnforcementsEven before GDPR came into effect, the ICO has been active over the last year in penalising organisations for data breaches that exposed people’s personal information. In May alone, the ICO issued five monetary penalties, including fines of £325,000 and £125,000 for the Crown Prosecution Service and the University of Greenwich respectively.

Many expect the size of fines to increase with the introduction of GDPR.

Nuisance Calls and MessagingWith the ICO struggling to recover fines levied on nuisance calls with many companies going into liquidation, the Government announced a consultation on new powers in May this year which would empower the data protection watchdog to levy fines of up to £500,000 on company directors themselves, not just the companies.

These measures may also make business leaders mindful of their GDPR and general data protection responsibilities on the basis that these powers could be further extended.

2018 STATE OF THE INDUSTRY REPORT | United Kingdom 18

Shred-it is proud to provide businesses of all sizes with advice and data security intelligence based on our research. The 2018 State of the Industry Report highlights the main information security trends experienced by businesses and consumers across the UK this year and outlines important actions those businesses need to take to protect themselves against data breaches.Increasing threats to data security and the changing business landscape are pushing companies to do more to ensure the protection of consumer data. Whether that means investing in regular and thorough employee training, increasing physical safeguards or implementing stricter data policies, they have a responsibility to their customers and employees.

New legislation also means that businesses are increasingly accountable to the Government. With GDPR already being enforced by the ICO, but a widespread understanding of the new rules lacking, UK firms will need to keep up with and adhere to more and more regulations.

A good way for C-Suites and SBOs to uphold their duties to consumers and government alike is to integrate data protection into everything they do. Businesses should regularly assess their information security strategies and ensure they are keeping pace with changes in regulation and societal expectations.

Shred-it can help you protect what matters. For more tips on improving your information security, please visit the Shred-it Resource Centre at: Shredit.co.uk/resource-centre

2018 STATE OF THE INDUSTRY REPORT | United Kingdom 19

Summary

linkedin.com/company/shred-it

@Shredit_UK

19

Data protection must become a core part of all business practices.

2018 STATE OF THE INDUSTRY REPORT | United Kingdom 20

Learn more about information security at shredit.co.uk or 0800 197 1164

2018 Security Tracker Survey Methodology

Ipsos conducted a quantitative online survey of two distinct sample groups: Small Business Owners (SBO) in the United Kingdom (n=1,000), all of which have fewer than 100 employees, and C-Suite Executives in the United Kingdom (n=100), with the minimum threshold in the UK being 250 employees. Data for Small Business Owners is weighted by region. Data for C-Suite Executives is unweighted as the population is unknown. The precision of Ipsos online surveys are calculated via a credibility interval. In this case, the UK SBO sample is considered accurate to within +/- 3.5 percentage points had all UK small business owners been surveyed, and the UK C-Suite sample is accurate to within +/- 11.2 percentage points had all UK C-Suite Executives been surveyed. The fieldwork was conducted between April 9th and April 23rd, 2018. In addition to the quantitative online survey, Ipsos conducted a short omnibus survey among a gen pop sample of n=1,127 residents of the United Kingdom about data protection and security.

How Shred-it® Can HelpThe Shred-it Protected WorkplaceOur integrated suite of products and services —including Paper Shredding, Hard Drive Destruction and Workplace Security Policies, all delivered through a secure Chain of Custody—are designed to protect the things that matter most, every single day.

Shred-it Secure Document and Hard Drive Destruction» Secure end-to-end chain of custody processes» Certificate of Destruction after every service

» Tailored solutions to your organisation’s needs

Advice and Expertise» Trained experts in information security» Provide a Data Security Survey at your organisation to

identify information security risks

Shred-it® is a Stericycle solution. © 2018 Shred-it International. All rights reserved