As the six-month countdown to the GDPR D-Day of May 25 2018 approaches, new research shows you have to put in the man hours to get in shape, with the average UK SME so far spending 600 hours, although a worrying 40% – equivalent to 2.1 million firms – have not even started to plan for the new legislation.
When asked who is leading the preparation, four in ten (43%) business owners said marketing staff had raised concerns about their current ability to handle and use data in accordance with GDPR. In response, 44% had reorganised operational responsibilities and processes.
The most common business function that SMEs are adjusting for GDPR is sales (57%), followed by IT (55%) and marketing (45%). These groups were also the most likely to have received GDPR training (sales and IT both 39%, and marketing 35%).
Over a quarter (27%) of SMEs also said they had hired new staff to help prepare for GDPR. As a result, over half (54%) now feel they have the right GDPR expertise in-house. Half of those questioned have also invested in expert guidance or consultancy, spending almost £8,000 each on fees to date; proving there is plenty of money out their for GDPR consultants.
However, despite this spend, nearly three quarters (73%) do not have detailed documentation to evidence their GDPR compliance and over two thirds (64%) of business have no plan in place for customer data breaches.
When asked about their plans to comply to GDPR, most business owners (69%) plan to contact customers directly for consent to retain and process their data. Most businesses will use a combination of methods with 70% doing it via email, 43% by phone and 38% by letter. Nearly two thirds (61%) also plan to use the ‘legitimate interest’ route to comply.
Most business owners are scheduling their GDPR compliance outreach between 1 and 15 January 2018.
Lisa Chittenden, data compliance doctor at The Data Compliance Doctors – which carried out the study – said: “With six months to go, it’s not too late to get yourself up to speed. [But I’d also caution businesses planning to contact customers direct for data consent, as opt-in communications can dramatically reduce the number of customers you can talk to.
“There’s a variety of other ways to make data eligible for marketing use – some of which provide greater scope to keep historic information. Our figures reveal that a third of business owners are unsure of the different laws relating to mail versus electronic communications for this purpose. A further third are also unaware of the different permission types, so I’d encourage them to seek expert advice or do some research to ensure they’re fully compliant.”
DMA tells firms: don’t expect all the answers on GDPR
Americans streets ahead of UK firms with GDPR plans
Firms finally wake up to GDPR but despair about future
Brace yourselves for the GDPR data ambulance chasers
ICO set to launch dedicated GDPR hotline for SMEs
New industry body to tackle threat to outbound calling
70% of customers plan to demand to see their data
Privacy chief Denham hits out at GDPR scaremongering