A year after the UK voted to leave the European Union, new research from Webroot, the market leader in endpoint security, network security, and threat intelligence, reveals that UK small- to medium-sized businesses (SMBs) misunderstand the impact of Brexit on compliance to the General Data Protection Regulation (GDPR).
Webroot finds that UK SMBs were unsure if they would have to adhere to GDPR regulation after Brexit, despite the need to be compliant if data of European citizens is held by the organisation. Further questioning on GDPR found that SMBs disagree with the primary thrust of the regulation, which is to help ensure the security of personal data across the EU, and lack confidence that they can meet the regulation requirements.
Scheduled to go into effect in May 2018, GDPR is intended to strengthen and unify data protection for all individuals within the EU, and applies to any company doing business within the EU. Noncompliance penalties are steep, with fines up to €20 million or 4 per cent of global annual turnover. A complete list of GDPR requirements can be found here.
Research highlights
· 46 per cent of businesses subject to compliance to GDPR were uncertain if they would have to remain compliant to GDPR after Brexit, and 6 per cent were certain that they would not
· One-fifth (20 per cent) of the companies surveyed subject to GDPR haven’t started the compliance process.
· 71 per cent of these businesses haven’t budgeted for the extra resources required to become compliant.
· Nearly three-quarters (73 per cent) of those businesses that have to become compliant didn’t think customer data will be any safer due to the legislation.
· Despite 81 per cent of those that need to become compliant having heard of the regulation, a third (34 per cent) were unable to identify basic regulation details correctly.
· Of this segment, 26 per cent thought that compliance was not mandatory, while 8 per cent thought the regulation only applied to large businesses.
· Despite needing to become compliant to continue operations as normal, nearly half of UK SMBs (49 per cent) are not confident they can meet the stringent requirements for compliance.
· In addition to their confusion about GDPR compliance, 51 per cent of all SMB survey respondents believe their business is not at risk of cyberattack, indicating a dangerous misperception about the threat landscape and the need for appropriate security measures.
Adam Nash, business sales leader for EMEA, Webroot, says, ‘GDPR compliance should be a crucial part of every organization’s security strategy. In particular, it’s clear that SMBs urgently need to focus their attention on both GDPR compliance and their wider cybersecurity posture. We recommend that all SMBs adopt a multi-layered security approach to meet GDPR; one that includes network security, antivirus protection, and thorough data protection measures.’
Tips for businesses
· Act now. This is the biggest change to data protection laws since the current EU Data Protection Directive was passed in 1995. Getting ready for the GDPR will require time and resources to implement new processes. It’s crucial to get started now so your business is ready.
· Know your data. Find out what data and personal data your organisation has, where it’s stored, and in what systems. Planned audits and allocated resources for this work should be scheduled in sooner rather than later.
· Delete. Make sure that any data you do not need is deleted securely. There are legal requirements to maintain certain types of data. But when data retention is not required, disposing of it helps reduce risk. This needs to be done professionally with specialist equipment or software.
· Communicate. With any process change, effective communication is essential. Proper internal communications to all employees and external communications to suppliers will help make them aware of changes and give them time to amend their own processes in good time.
· Assess. Consider a privacy impact assessment. When auditing the business’s processing of personal data in relation GDPR, decide if a privacy impact assessment is required. Consider whether invasive means of collecting personal data are used and if the data is processed fairly and lawfully. Individuals must be informed about the purpose of use and how the business processes personal data in a transparent fashion.