We always knew there was lots of insecurity out there.

But I was surprised to find that in an exercise we recently ran with our AIIM members, the number came back alarmingly high: 26%.

So, that’s one in four organisations are suffering loss or exposure of customer data in the previous 12 months.

What’s really worrying is that that number not far behind an even more important number of 38%.

That’s to say, 38% of organisations confirm they are highly dependent on sensitive personal content to drive their business processes – at the same time they can see some of that vital data leaking out from under their firewalls.

Worse, of that one in four, 18% lost employee data, which in 10% of those cases led to action or fines from a regulator.

Being fined is bad enough, but that’s not the end of the possible disruption data breach causes; 25% saw some kind of hiccup in their day-to-day business and a worrying 18% a loss of customer trust.

Customer data can be an invaluable asset for any organisation, but it is imperative that personal data is kept safe and that consumers are confident their personal details remain private.

But it would seem that many organisations are struggling to secure sensitive and personal data even under current data protection rules, so may be even more thrown by the changes in the EU-US Privacy Shield (the successor to Safe Harbour) and imminent EU General Data Protection Regulations. Indeed, the survey gives us basis for just such concerns – with a lack of familiarity with forthcoming General Data Protection Regulations (GDPR); 37% of those storing Europeans’ data are not familiar with GDPR, including 11% who (mistakenly) think it will not apply to them.

Ignore Hollywood – it’s the internal enemy to worry about, not the super hackers

That’s just not good enough. If your organisation holds data on European citizens, you have to be aware of the need to ensure that European data protection standards apply wherever that information is stored and ensure their organisation is taking steps to ensure compliance.

GDPR means that both data processors and the organisation whose data is being processed are joint data controllers so the organisation needs to positively audit the processor, including cloud service providers, to ensure that compliance is being met. You need to be on top of this.

Looks like you may also need to revamp the way you try and limit your exposure to the threat, not of external hackers like in the movies, but the real threat – the internal one.

We confirmed, once again, that data breaches are much more likely to be due to internal staff than external hackers, with 47% of organisations surveyed having suffered a data breach, exposure or incident in the past 12 months due to staff intent (19%) or staff negligence (28%). A mere 13% suffered data loss from external hackers, no matter what Mr Robot says.

Even so, around a quarter of respondents still feel that senior management does not take the issue of data privacy breaches seriously. Does that mean everyone’s taking this passively and just accepting data is insecure and losing it is just a part of doing business? Not at all. Well over half, 64%, of respondents claim to encrypt all Personally Identifiable Information (PII) they hold, a number ramping up to 75% for sensitive personal data.

But there’s still work to do – as not enough (38%) encrypt email addresses, while an astonishing 25% of those storing credit card details do not encrypt them – almost certainly a contravention of the PCI-DSS standard.

We found that 20% of AIIM members responding to our online questionnaire rely on metadata and content types to drive security, but half of respondents admit to poor metadata standards – a situation that can and indeed be improved with modern metadata correction and data cleaning products.

The verdict’s clear: data continues to rise in economic importance to us, but our ability to look after it properly isn’t improving at anything like a fast enough pace.

Bob Larrivee is Chief Analyst at AIIM, the global, non-profit organisation which provides independent research, education and certification programs to information professionals and which has been an advocate and supporter of information professionals for over 70 years

In this thedmcollaborators blog, Bob was drawing on findings from a new AIIM probe into this topic – Data Privacy – Living by New Rules. If you’d like to download a free copy of the main findings of the report, which was commercially supported by collaboration and governance leader AvePoint, please go here.

The study is based on a data gathering probe taken using a Web-based tool by 200-plus members of the AIIM community in October and November 2015. Invitations to take the survey were sent via e-mail to a selection of all160,000 AIIM community members