The Zurich SME Risk Index has suggested that many of the UK’s small and medium-sized enterprises (SMEs) may be non-compliant on the GDPR implementation deadline, largely due to a widespread lack of awareness around the Data Protection Officer (DPO) employment requirements.
The survey of over 1,000 SME business owners highlights that, while 85 per cent would be affected by GDPR, nearly half (44 per cent) of those are not aware that employing a DPO or satisfactory equivalent will become a regulatory obligation for many businesses dealing with large amounts of data from May 2018.
Just one in three (34 per cent) of those surveyed currently employs a DPO or satisfactory equivalent. Current estimates from Cybersecurity Ventures highlight that by 2021 there could be 3.5 million vacant cyber security jobs due to a chronic skills shortage in the field of cyber security, suggesting that a significant number of small and medium-sized businesses in the UK may face non-compliance due to a lack of adequately trained staff.
Fines for non-compliance with the GDPR can be as high as 4 per cent of a business’ global turnover, up to a maximum of approximately £18 million, yet just over a quarter (28 per cent) of SME owners can currently guarantee that they could continue operating following a fine of this magnitude.
With almost one in ten business owners saying that they would need to close down operations following a fine of this size, it appears that the penalties handed out following GDPR implementation could see a significant number of SMEs close for business.
Paul Tombs, head of SME proposition at Zurich, comments, ‘Cyber security trained staff are already a rare and highly sought after commodity and business leaders should be gravely concerned about their ability to find and hire data security personnel.
‘If your business requires a DPO, then investing in training current staff is probably the quickest and simplest solution given the current job market for these individuals. Stomaching the investment in training now may be hard to bear, but the repercussions for no doing so will be dire.’
Further reading on GDPR fines
