Unlike most firms, SMEs are not having sleepless nights worrying about whether they will be able to get in shape for GDPR; 84% of UK small business owners have still not even heard of the biggest shake up of data protection laws in a generation.
That is the rather worrying conclusion of Shred-it’s seventh annual Security Tracker research, conducted by Ipsos, with just a year to go until GDPR D-Day on May 25 2018.
Perhaps even more surprising, given the huge coverage of the impending regulation, 43% of senior executives of large companies said they were also unaware of the changes, although it is known whether this ignorance is company-wide.
The Security Tracker survey also found that only 14% of small business owners and 31% of senior executives were able to correctly identify the fine associated with the new regulation – up to €20m or 4% of global turnover. This is despite a large proportion of senior executives (95%) and small business owners (87%) claiming to have at least some understanding of their industry’s legal requirements.
Businesses which are unaware of the forthcoming legislation and its implications are not only putting themselves at risk of severe financial penalties, but also the reputational damage caused by adverse publicity associated with falling foul of the law, the company insists.
This can often have a greater impact than the fine itself. Research shows that 64% of executives agree that their organisation’s privacy and data protection practices contribute to reputation and brand image.
Of those respondents who claim to be aware of the legislation change, only 40% of senior executives have already begun to take action in preparation for the GDPR, in spite of 60% agreeing that the change in legislation would put pressure on their organisation to change its policies related to information security.
The survey also highlights that companies feel the UK Government needs to take more action. Forty-one per cent of small business owners (an 8% increase from 2016) believe that the Government’s commitment to information security needs improvement.
Robert Guice, Senior Vice President Shred-it EMEAA, said: “As we approach May 2018, it’s crucial that organisations of all sizes begin to take a proactive approach in preparing for the incoming GDPR.
“From implementing stricter internal data protection procedures such as staff training, internal processing audits and reviews of HR policies, to ensuring greater transparency around the use of personal information, businesses must be aware of how the legislation will affect their company to ensure they are fully compliant.”
“Governmental bodies such as the Information Commissioner’s Office (ICO), must take a leading role in supporting businesses to get GDPR ready, by helping them to understand the preparation needed and the urgency in acting now.”
“The closer Government, information security experts and UK businesses work together, the better equipped organisations will find themselves come May 2018.”
ICO’s 2016 fines would rocket to £69m under GDPR
20% of firms fear ruin as GDPR panic spreads globally
ICO insists GDPR guidance will cover legitimate interest
Industry on alert over third-party data legal crackdown
DMA joins forces in bid to demystify legitimate interests
GDPR consent updates spark chilling warning to brands
GDPR compensation to dwarf £30bn bill for PPI claims