Executive Summary of the Study on data protection within Spanish enterprises

INSTITUTO NACIONAL DE TECNOLOGÍAS DE LA COMUNICACION

Objectives and Methodology

2

Objectives and methodology

Study Objectives

Study Methodology
• Document analysis of national and international studies.

Establish a diagnostic of how compliance to current regulations in personal data protection by small and medium Spanish enterprises is perceived in 2012.

• Survey: 1,109 interviews with IT security managers of enterprises. • In-depth interviews with 5 IT security managers of enterprises. • Expert groups and professionals belonging to different fields of IT security.

3

Survey technical sheet
Survey on data protection within Spanish enterprises

Participants: Small and Medium Enterprises registered within the national soil (CNAE 2009). Sampling: 1,109 IT security managers of enterprises distributed through national soil. Sampling distribution: Over a total of 1,109 enterprises: 501 micro-enterprises, 343 small enterprises and 265 medium enterprises. Collection of information: CATI (Computer Assisted Telephone Interviewing). Field research: January and February 2012. Sampling error: 2.9%, calculated for a 95.5% level of trust and being p=q=0.5.

4

Main study findings

5

Main findings
Knowledge of standards on data protection • • The vast majority of the small and medium enterprises know the Personal Data Protection Law (LOPD) and are aware of being legally bound to it. 86.4% claim to know LOPD and 80.4% state that they are aware of being legally bound to the data protection regulation.

Existence of databases • Spanish enterprises usually work with databases containing personal information (3 out of 4), the clients' and the suppliers' being the most frequent databases (94.5 and 80.2% respectively). Other less frequently used databases are the payroll ones, the social security files and the candidates' CVs.

Perception of adoption of data protection requirements • • Half of the small and medium enterprises claim that they comply with all the requirements of the Spanish regulations on data protection. 57.5% of the enterprises claim that they have registered their records to the Spanish Data Protection Agency (AEPD). According to INTECO estimates, only 31.8% have registered them.
6

Main findings
Perception of adoption of data security measures • • The perception of adoption of data security measures designed in the LOPD Development Regulation is irregular between Spanish enterprises. 56.9% of Spanish small and medium enterprises using databases with personal data claim that they have a Security Document. 48.6% of entreprises claim that they have organised training sessions on personal data protection. Only 30.3% of enterprises that participated in this survey claim that they have a record of incidents. 61.8% of Spanish enterprises claim that they make a weekly backup of their data.

• •

7

    

Knowledge of standards on data protection Existence of databases Perception of adoption of data protection compliance Perception of adoption of data security measures Enterprise profiles by their compliance to data protection regulations

http://observatorio.inteco.es
8

Knowledge of standards on data protection
Declared knowledge of the LOPD  From 2008 to 2012, the development of the level of knowledge for the enterprises regarding the LOPD has substantially gone up, increasing by 50 points.

Enterprises claiming to know the LOPD. Development 2008-2012
0.7%

12.9% 34.0%

66.0%

86.4%

2008
Yes No DK

2012

Basis: Spanish enterprises (n=1,109 in 2012)
9

Knowledge of standards on data protection
Perception of being legally bound to the LOPD regulations  The vast majority of the consulted enterprises (80.4%) are aware of being legally bound to the LOPD regulations.

Enterprises claiming to be aware of being legally bound to data protection regulations

9.2%

10.4%

80.4%

Yes

No

DK

Basis: Spanish enterprises (n=1,109)
10

Existence of databases
Possession of databases with personal data  74.3% of enterprises claim to have databases with personal data.  A fair portion of small and medium enterprises possess such databases, whereas the micro-enterprises show a smaller percentage.  Experts state that practically all the enterprises have this type of databases.
Enterprises claiming to possess databases with personal data
2.9%

22,8%

74.3%

Yes

No

DK

Basis: Spanish enterprises (n=1,109)
11

Existence of databases
Typology of databases with personal data  Amongst the enterprises using databases with personal data, the vast majority of them claim to use databases for their clients and suppliers. Other types of database used less frequently are for payrolls, social security data and CVs.
Typology of databases with personal data

Clients Suppliers Payrolls Social Security HR (CVs) Minors Health information CCTV Others 0% 1.7% 0.4% 0.2% 1.0% 20% 40% 60% 80% 32.6% 32.1% 42.4% 80.2%

94.5%

100%

Basis: Spanish enterprises using databases with personal data (n=919)
12

Existence of databases
Typology of personal data manipulated through databases  Contact details, such as addresses, telephone numbers, email addresses as well as names and surnames and identity card numbers, can be found in practically all databases.
Typology of personal data manipulated through databases

Contact details Name and surname ID card number Bank account number Bank details/financial services Tax number Social security number/occupational accidents Credit record Criminal record Recorded business calls/online website accesses Health condition Ideology / Union membership Domestic violence Sexual preference Ethnic group Religion
0%

97.2% 96.1% 91.1% 54.6% 47.2% 36.3% 34.4% 12.4% 11.6% 6.2% 2.7% 1.2% 0.3% 0.3% 0.3% 0.3%
20% 40% 60% 80% 100%

Basis: Spanish enterprises using databases with personal data (n=919)
13

Perception of adoption of data protection compliance
Enterprises' compliance to data protection regulations  Almost half of the enterprises prove to be aware of all the requirements covered by the data protection regulations.
Perception of enterprises using databases with personal data on their compliance to data protection regulations

5.1% 2.1%

7.6%

48.5%

36.7%

I am aware of all the requirements I am aware of the most important requirements I am not aware of it I am not affected by the data protection regulations DK

Basis: Spanish enterprises using databases with personal data (n=919)
14

Perception of adoption of data protection compliance
Enterprises' compliance to data protection regulations  Enterprises tend to exaggerate their regulation compliance levels. However, there has been an increase of databases registered with the AEPD these last years.

Enterprises claiming to have registered databases in the Data Protection Agency and clashing with the actual estimated percentage. Development 2008-2012
70% 60% 50% 40% 30% 20% 10% 0% 2008 Declared Actual/estimated 2012 16.0% 37.0% 31.8% 57.5%

Basis: Spanish enterprises using databases with personal data (n=919 in 2012)
15

Perception of adoption of data protection compliance
Duty to inform  Three out of four enterprises claim to comply with their duty to inform the personal data owners.  According to experts, the real data is smaller than what is declared. Absence of knowledge can cause mis-estimation of their compliance level.
Enterprises claiming to comply with their duty to inform the physical data owners

5.5%

21.8%

72.7%

Yes

No

DK

Basis: Spanish enterprises using databases with personal data (n=919)
16

Perception of adoption of data protection compliance
Request for consent  70.6% of enterprises claim to request for consent, usually keeping a written record or alternatively a documented consent.

Enterprises claiming to comply with their duty to request for consents to the physical data owners

5.3%

54.5% 24.1% 70.6%

16.1%

Yes, keeping a written record or alternatively a documented consent. Yes, but without a written record or alternatively a documented consent. No DK

Basis: Spanish enterprises using databases with personal data (n=919)
17

Perception of adoption of data protection compliance
ARCO rights Management  51% of enterprises claim to facilitate and guarantee the exercise of the rights of access, rectification, cancellation and objection (ARCO rights).

Enterprises claiming to adopt procedures to facilitate and guarantee the exercise of ARCO rights.

14.7%

51.0% 34.3%

Yes

No

DK

Basis: Spanish enterprises using databases with personal data (n=919)
18

Perception of adoption of data protection compliance
Data Processed by a Third Party  23.6% of the enterprises claim to have outsourced services requiring personal data processing by a third party International Data Transfer  Carrying out international data transfer is not very frequent within enterprises

Enterprises claiming to have outsourced services requiring personal data processing by a third party

Enterprises claiming to carry out personal data transfers internationally

1.0%
5.1%

1.5%

18.6% 71.3%

5.0%

Yes, we have regulated the processing of that specific data Yes, but we have not regulated the processing of that specific data No, we have not outsourced these activities DK

97.5%

Yes

No

DK

Basis: Spanish enterprises using databases with personal data (n=919)
19

Perception of adoption of data security measures
Security Document  56.9% of enterprises claim to possess security documents

Enterprises claiming to possess security documents

11.9%

56.9% 31.2%

Yes

No

DK

Basis: Spanish enterprises using databases with personal data (n=919)
20

Perception of adoption of data security measures
Publishing the Data Protection Regulations amongst the Enterprise Personnel  Spanish enterprise personnel are aware of the requirements pertaining to data processing and of the consequences for non-compliance

Enterprises claiming to have informed their employes of the data protection regulations and of the consequences for non-compliance

4.1%

48.6%

13.4% 33.9%

Yes, they have received information specific to personal data proctetion Yes, they are informed in another way No DK

Basis: Spanish enterprises using databases with personal data (n=919)
21

Perception of adoption of data security measures
Incident Records  Having incident records available is not very common amongst enterprises. Only 30.3% use this system.

Enterprises claiming to have a record for their incidents

13.0% 30.3%

56.7%

Yes

No

DK

Basis: Spanish enterprises using databases with personal data (n=919)
22

Perception of adoption of data security measures
Access Control  77.7% of entities declare having clear definitions of the people who are allowed to access personal data of their tasks using that data.
Enterprises claiming to have established access control

3.1%

19.2%

77.7%

Yes

No

DK

Basis: Spanish enterprises using databases with personal data (n=919)
23

Perception of adoption of data security measures
Identification and Authentication Processes  65.4% of Spanish enterprises prove to possess a user identification system for access to personal data
Enterprises claiming to have established a user identification system to access personal data
2.8%

 77.2% of Spanish enterprises claim to have established a password system to access the computers and applications.
Enterprises claiming to have established a user password system to access the computers and applications.
0.9%

21.9%
31.8%

65.4%

77.2%

Yes

No

DK

Yes

No

DK

Basis: Spanish enterprises using databases with personal data (n=919)
24

Perception of adoption of data security measures
Storage device and document management  Slightly over half of Spanish enterprises (53.9%) claim to possess an inventory of the storage devices containing the personal data.  37% claim to have established a protocol in the event of database destruction/deletion.
Enterprises claiming to have an inventory of storage devices containing the personal data Enterprises claiming to have established a protocol in the event of database destruction/deletion

4.8%

8.7%

37.0%

41.3%

53.9%

54.3%

Yes

No

DK

Yes

No

DK

Basis: Spanish enterprises using databases with personal data (n=919)
25

Perception of adoption of data security measures
Backups  It seems that 61.8% of Spanish enterprises comply with standards designed by the RDLOPD, by making weekly backups.
Alleged frequency of backups made by enterprises

3.9% 7.8%

13.6%

61.8% 12.9%

Yes, weekly

Yes, monthly

Yes, less frequently

No, no backups made

DK

Basis: Spanish enterprises using databases with personal data (n=919)
26

Enterprise profiles by their compliance to the data protection regulations
SME profiles  The following chart summarises the enterprise profiles found in this study: 1) Enterprises indifferent to/with no data protection activities, 2) Proactive / strategic enterprises 3) Misinformed enterprises and 4) Compliant enterprises
Enterprise Cluster

21.3%

27.5%

32.3%

18.9%

Enterprises indifferent to/with no data protection activities Misinformed enterprises Proactive / strategic enterprises Compliant enterprises

Basis: Spanish enterprises using databases with personal data (n=919)
27

Enterprise profiles by their compliance to the data protection regulations
***?

Profile 1: Enterprises indifferent to/with no data protection activities Sector Size Retail and hospitality

Profile 2: Misinformed enterprises Industry

Profile 3: Proactive / strategic enterprises

Profile 4: Compliant enterprises

Services, trade and hospitality Business services Medium enterprises. They know the LOPD. Small and medium enterprises of all sizes. They know the LOPD.

Mirco-enterprises with low Small enterprises. turnover. They do not know the LOPD or Knowledge of In general, they do not know do not think they are legally regulations the LOPD requirements. bound to it. A bit more than a third think Many are not aware of the they aware of the compliance requirements. with LOPD requirements and regulations. Perception of Half of them state that they They have not registered their compliance with have registered their databases with personal data regulations databases in the AEPD in the AEPD records. records. Highlights the high They do not inform those percentage of those who do concerned about the not know whether they have existence of a database. complied with this procedure. They perform personal data They perform personal data Processing processing less frequently processing. personal data that the average.

They are aware of the They comply more than the requirements and comply with other enterprises with the them. LOPD standards Most of them have procedures to facilitate and A large portion of enterprises ensure the exercise of ARCO have a protocol of actions that rights. their disposal for incident They inform those concerned management. about the existence of a database. Almost all the enterprises They perform personal data from this profile perform processing. personal data processing.

28

Recommendations

29

Recommendations
Recommendations regarding awareness and training Awareness and training Diagnostic and information

 Increase the activities to raise awareness and adapt them to the needs of the small and medium enterprises.  Tackle awareness with a didactic approach, not a forceful one.  Develop regulatory measures using a jargon adapted to small and medium enterprises.  Champion the AEPD and the rest of the agencies.

Proposals regarding diagnostics and information
 Perform a periodical diagnostic of personal data processing and security in enterprises.  Develop a measurement and indicator monitoring system for the enterprise performance in data protection

30

Recommendations
Proposals with regards to compliance process and processing management
 Facilitate and adjustment process, providing guidelines, tools and advice to enterprises facing the greatest difficulties.  Establish prerequisites and requirements according to the enterprise’s size and activity.  Encourage a higher level of control and monitoring of the regulatory compliance.  Place more emphasis on the most relevant aspects, lowering the more formal requirements.  Use the support of a third party for the compliance and processing process.  Encourage self-regulation of specifiers and service providers.  Supporting enterprises economy.

Proposals with regards to standardisation and certification
Standardisation and certification  Create an ad hoc stamp for those enterprises compliant to the LOPD.  Create a certification for information security and digital confidence.

Processing compliance and management

31

Follow us on:

Web

http://observatorio.inteco.es Facebook http://www.facebook.com/ObservaINTECO Twitter http://www.twitter.com/ObservaINTECO Scribd http://www.scribd.com/ObservaINTECO Youtube http://www.youtube.com/ObservaINTECO The Observatorio de la Seguridad de la Información Blog http://www.inteco.es/BlogSeguridad

Send us any queries and comments to:
observatorio@inteco.es

http://www.inteco.es http://observatorio.inteco.es

Sign up to vote on this title
UsefulNot useful

Master Your Semester with Scribd & The New York Times

Special offer for students: Only $4.99/month.

Master Your Semester with a Special Offer from Scribd & The New York Times

Cancel anytime.