A staggering 84% of small UK business owners are unaware of the forthcoming General Data Protection Regulation (GDPR), according to Shred-it's seventh annual Security Tracker research.
The firm surveyed 1000 owners of small companies in the UK and discovered that whilst 87% claimed to have at least some understanding of their industry's legal requirements, just 14% were able to correctly identify the fine associated with the new regulation – up to €20m or 4% of global turnover.
With the GDPR bringing about unprecedentedly strict new laws about the security of data belonging to individuals within the European Union when it comes into force in just 12 months, companies failing to understand its importance are putting themselves at significant risk.
Speaking to Infosecurity Jonathan Armstrong, compliance & technology lawyer, Cordery, said that it is concerning that so many small business owners aren't aware of GDPR.
“For small businesses GDPR could have quite an impact,” he explained. “If we look at Subject Access Requests (SARs) for example – just one aspect of GDPR – the impact could be considerable. SARs can take around 100 man hours to complete with no fee under GDPR.
“It is also concerning that businesses can't identify the potential fine. It's part of management's responsibility to understand risk and take appropriate steps to mitigate that risk. For any business, 4% of turnover is a risk big enough to be on their radar, for small businesses a €20 fine might mean them shutting up shop”, Armstrong added.
A lack of GDPR understanding was not limited to smaller companies though; 43% of senior executives of large businesses polled also admitted to being unaware of the impending regulation with more than two-thirds just as oblivious about the related monetary punishments. What’s more, of the respondents who did claim to be aware of the legislation change, only 40% of senior execs had begun to take action to prepare for GDPR despite 60% expecting their company to need to alter its information security policies.
Robert Guice, senior vice-president, Shred-it EMEAA, said: “As we approach May 2018, it's crucial that organizations of all sizes begin to take a proactive approach in preparing for the incoming GDPR.
"From implementing stricter internal data protection procedures such as staff training, internal processing audits and reviews of HR policies, to ensuring greater transparency around the use of personal information, businesses must be aware of how the legislation will affect their company to ensure they are fully compliant."
Governmental bodies such as the Information Commissioner's Office (ICO), must take a leading role in supporting businesses to get GDPR ready, Guice argued, by helping them to understand the preparation needed and the urgency in acting now.
"The risks of failing to understand and plan are significant," warned Armstrong. "Businesses that cannot demonstrate an understanding of GDPR will be worth less. They will risk losing key customers if they handle their data and they risk the possibility of employees or consumers taking them to task and possibly seeking remedy."