With only a week remaining before the General Data Protection Regulation (GDPR) goes into effect across the European Union, nearly a quarter of small-business owners are completely unaware and unprepared for its impact, according to data released in Shred-it's eighth annual Security Tracker report released 17 May.
The research, conducted by Ipsos, surveyed 1,000 small-business owners with fewer than 100 employees, as well as a second sample group that included more than 100 C-suite executives from businesses with over 250 employees.
"The research makes clear that there is a huge disparity in terms of preparedness and focus based on the size of businesses," Shred-it wrote in a press release. While 97% of C-suite executives at large companies have a basic understanding of GDPR, only 78% of small-business owners possess at least a basic awareness of the forthcoming regulations.
"Almost half (47%) of leadership at large firms report having detailed GDPR knowledge, but "that figure for small businesses is just 10%," Shred-it wrote.
Brian Vecci, technical evangelist at Varonis said, "While some companies have prepared for the GDPR for months and even years, others have only recently realized they need to comply and have to scramble a bit to catch up."
Everyone is in the final countdown, but with only one week until the deadline, Vecci said, "Companies need to zero in on their sensitive data and, more importantly, discover the data at risk that could ultimately knock them out of the GDPR compliance ring. Companies need to make sure they know what sensitive data they have and where that data might be at risk and cause them problems after May 25."
Neil Percy, VP of market development and integration EMEA at Shred-it, agreed, stating, “Companies need to audit their current data flows and assess where confidential information may be at risk, either in digital or physical form, and take steps to restrict accessibility and delete or, if in physical format, securely destroy it when necessary.”
There are additional provisions within the regulations that small businesses need to be aware of. In a 16 May blog post, Shawn Ryan at Imperva wrote (emphasis Ryan's), “One of the more notable provisions of the GDPR is Article 33 or the mandatory 72-hour breach reporting requirement. Article 33 dictates that, in the event of a personal data breach, data controllers notify the appropriate supervisory authority 'without undue delay and, where, feasible, not later than 72 hours after having become aware of it.'”