Is your business ready for GDPR?
If so, you’re very much in the minority. About one-third of UK companies say they aren’t ready for the new EU-wide rules on personal data, even though the changes are just three weeks away. That’s according to survey by IT company Spiceworks.
One-in-Five Firms Don’t Know GDPR Exists
And just under one-in-five of British businesses do not even know that the upcoming General Data Protection Regulation exists, says a study by the Federation of Small Businesses, while one-third are merely vaguely aware of the new rules.
Worse still, many of those who do know about GDPR are failing to do anything about it. More than two-thirds of UK firms have either not taken steps to ready themselves or are in the early stages — equating to 3.2 million enterprises.
‘Companies are Woefully Underprepared’
“With little more than three working weeks left until the GDPR becomes enforceable, it appears that businesses continue to be woefully underprepared, despite the numerous warnings issued, and have left themselves wide open to being in breach of the new regulation,” says Andy Miles, chief executive of cybersecurity firm ThinkMarble.
“Too many see the new regulations as a compliance tick-box activity and a burden, when really it should be viewed as an investment into your business, your employees and your customers.”
The FSB estimates the total cost of complying with GDPR will be about £1,000 per small business. “The GDPR is the biggest shake-up in data protection to date and many small businesses will be concerned that the changes will be too much to handle,” says Mike Cherry, FSB chairman.
GDPR comes into force on May 25 and introduces tough rules on processing and storing personal data, as well as new rules on consent. GDPR also introduces tougher requirements on reporting data breaches, an obligation that a data protection officer is employed if large volumes of personal data are being handled, and that consumers be granted easier access to their stored data.
Firms ‘Paralysed by Fear of Fines’
Firms that fail to comply are liable to fines when GDPR comes into force. Fines for data breaches will be as high as £17 million, or 4% of annual global turnover, whichever is highest. Under current UK rules the maximum fine regulators can levy is £500,000.
UK regulators have said fines are a last resort, however. But many are still liable to action – just 8% of small UK businesses have finalised preparations for GDPR.
“It is clear that a high proportion of the UK’s 5.7 million small businesses will still be unprepared when May 25 rolls around,” says the FSB’s Cherry. He added that regulators should take a “carrot before the stick approach” by encouraging smaller businesses to comply, or they would be “paralysed by the fear of heavy fines”.
Facebook Scandal Shines Light on Data Protection
Data protection has risen high on the political and business agenda as high-profile data breaches have emerged at firms including Facebook. The social network came under pressure recently to explain how data collected on 50 million of its users were exploited for political gain, after Cambridge Analytica, a data firm, used the information to help Donald Trump’s US presidential campaign.
Miles says: “I expect that we will see future customers seeking reassurance on how their data is processed and managed. Those organisations that have taken the right steps to reinforcing their cyber security and information practices, will be the ones that reap the benefits.”
A ‘Safe Harbour’ Scheme
Business groups have called for protections for businesses which fail to get their house in order before the GDPR deadline. The FSB says the UK information watchdog should introduce a safe harbour scheme, letting companies voluntarily report themselves if they discover they are in breach of the little-known new rules.
That scheme would see the Information Commissioner offer advice on how to meet GDPR requirements — rather than imposing harsh penalties.
Data Protection Already Costs Business £1,263 a Year
The burden of regulation is already dear for UK businesses, with the FSB’s research suggesting members spend seven hours a month on data protection compliance — without GDPR — costing them, on average, £1,263.
But, astonishingly, 27% of UK companies have no existing data protection policy in place at all, according to a report from ThinkMarble.
Another 13.5% are not even registered with the Information Commissioner’s Office, despite processing personal data, which is a legal requirement.
The Information Commissioner, Elizabeth Denham, advises that “the ICO’s website offers a number of ways in which organizations of all sizes, and all sectors, can self-serve to get the help they need. We also know that many representative bodies and sector associations are also providing excellent GDPR advice and support for their members”.