With six months to go until the General Data Protection Regulation (GDPR) deadline of 25 May 2018, new research today reveals the average UK SME has spent over 80 days (600 hours) preparing for the legislation over the past year.
Whilst nearly two thirds of UK SMEs are now planning for GDPR (61 per cent), a worrying two out of five, (equivalent to 2.1 million small businesses), have not started to plan for next year’s new data compliance legislation.
When asked who is leading the preparation, four in ten (43 per cent) business owners said marketing staff had raised concerns about their current ability to handle and use data in accordance with GDPR. In response, 44 per cent had reorganised operational responsibilities and processes.
The most common business function that SMEs are adjusting for GDPR is sales (57 per cent), followed by IT (55 per cent) and marketing (45 per cent). These groups were also the most likely to have received GDPR training (sales and IT both 39 per cent, and marketing 35 per cent).
More than a quarter (27 per cent) of SMEs also said they had hired new staff to help prepare for GDPR, spending, on average, £13,300 on salaries so far. As a result, more than half (54 per cent) now feel they have the right GDPR expertise in-house. Half of those questioned have also invested in expert guidance or consultancy, spending almost £8,000 each on fees to date.
Worryingly, despite this spend, nearly three quarters (73 per cent) do not have detailed documentation to evidence their GDPR compliance and over two thirds (64 per cent) of business have no plan in place for customer data breaches.
When asked about their plans to comply to GDPR, most business owners (69 per cent) plan to contact customers directly for consent to retain and process their data. Most businesses will use a combination of methods with 70 per cent doing it via email, 43 per cent by phone and 38 per cent by letter. Nearly two thirds (61 per cent) also plan to use the ‘legitimate interest’ route to comply.
Most business owners are scheduling their GDPR compliance outreach between 1 and 15 January 2018.
Lisa Chittenden, data compliance doctor at The Data Compliance Doctors comments, ‘Our survey has revealed a mixed bag in terms of GDPR preparation amongst SMEs. Some have spent a lot of time and money to ensure they are in a good position come May 25, 2018. However, our figures show there are many thousands that have not even started, despite all the discussion and media stories in recent months. But, with six months to go, it’s not too late to get yourself up to speed.
‘I’d also caution with those businesses planning to contact customers direct for data consent, as opt-in communications can dramatically reduce the number of customers you can talk to. However, there’s a variety of other ways to make data eligible for marketing use – some of which provide greater scope to keep historic information. Our figures reveal that a third of business owners are unsure of the different laws relating to mail versus electronic communications for this purpose. A further third are also unaware of the different permission types, so I’d encourage them to seek expert advice or do some research to ensure they’re fully compliant,’ adds Lisa.