Confusion still reigns in UK organizations over new European data protection laws, with the latest research revealing a failure of leadership at board level and awareness levels that are still too low.

A Trend Micro study of 1000 IT decision makers from across the globe revealed that while 100% of UK respondents are aware of the EU General Data Protection Regulation (GDPR), 73% are unaware of the extent of GDPR fines and a quarter claimed a fine wouldn’t bother them.

That betrays a lack of understanding of the potentially punitive fines regulators will be able to level from May 25 2018, with the maximum penalty standing at £17m, or 4% of global annual turnover.

What’s more, there’s confusion over who should take the lead in compliance efforts, with a quarter (25%) claiming the CEO should be responsible and 23% stating it’s the job of the CISO and security team.

Just 10% of boards are leading compliance efforts, the report found.

“With just nine months to go before it comes into force, GDPR should be the biggest boardroom issue of the moment. But the findings suggest it’s the elephant in the British boardroom,” argued Trend Micro VP of security research, Rik Ferguson.

“If organizations don’t take the regulation seriously, they could be subject to a fine that’s a significant portion of global revenue. The task for the C-Suite now is to see GDPR as a business issue rather than a security issue, before it gets to that stage.”

The findings are echoed somewhat by Citrix, which polled 500 UK IT leaders to find that none could agree on who owns the crucial customer PII covered by the GDPR.

Just a quarter (27%) claimed this data is owned by the customer while half said it belongs to the organization.

Citrix claimed data overload and sprawl were complicating compliance efforts. The average large UK business now uses 24 systems to manage and store personal data, with 21% using over 40 systems to do so, the report claimed.

What’s more, the average large UK business collects personal data from 577 individuals every day, it said.

It’s perhaps not surprising that over a third (38%) of respondents claimed they’re not ready yet for the regulation.

That chimes with a Barracuda Networks survey of over 600 UK SME decision makers which found 30% aren’t prepared for the GDPR and a third aren’t aware of the impact it will have on their organization.

Half even said they either didn’t know or don’t believe that the GDPR will affect their business.