Much work still to be done before UK SMEs fully prepared for GDPR

With new GDPR rules coming into play in 2018, research suggests that UK small businesses need to do much more work in order to be compliant.

With the General Data Protection Regulations (GDPR) set to be implemented in May 2018, the UK’s SME community remains unsure about a number of related issues, including what ‘personal data’ really means; their customers’ new and extended rights, and whether the permissions they currently have to contact customers will meet the requirements of GDPR.

The results were obtained from the Close Brothers Business Barometer, a quarterly survey that questions over 900 UK and RoI SME owners and senior management across a range of sectors and regions.

‘GDPR is intended to strengthen and unify data protection for individuals within the EU, but will also affect the UK regardless of Brexit,’ says Neil Davies, CEO, Close Brothers Asset Finance.

‘It will ensure that all personal data has to be managed in a safe and secure way; has to be gathered lawfully; is only used for the purposes for which it was collected, and must be accurate and up-to-date.

‘The figures from the Barometer tell us that uncertainty persists on a number of key compliance issues and SMEs are concerned about the implications for them and their business.’

Less than a third (31 per cent) of SMEs answered ‘yes’ to the question ‘are you clear what ‘personal data’ means in a business context?’, with 50 per cent saying ‘sort of’ and the remaining 19 per cent ‘no’.

‘On a positive note, 73 per cent of firm owners categorically stated that they do not share customers’ personal data with 3rd parties,’ says Davies.

‘There are, however, companies openly admitting to sharing customers’ details (eight per cent) and a further 18 per cent conceding they were unsure of whether they do or not.’

Extended rights

Less than half (48 per cent) of respondents answered ‘yes’ to the question ‘do you understand the new and extended rights that customers have when it comes to collecting and utilising their personal information?’

‘The GDPR’s definition of personal data makes it clear that even online identifiers, for example an IP address, can be personal data,’ explains Davies.

‘The new definitions provide for a wide range of personal identifiers to constitute personal data, reflecting changes in technology and the way organisations collect information about people.

‘This example shows just how detailed the new regulations are going to be and it’s incumbent on business owners to understand what this means to them.’

Despite the lack the clear understanding of the extended rights customers will have, 58 per cent of SMEs are confident that the permissions they currently have to contact customers will meet the requirements of GDPR.

‘This still leaves more than 40 per cent of firms who are unconvinced about their readiness ahead of May 2018,’ says Neil.

‘How it works is that companies must get prior consent from data subjects (opt in) and record that consent. What’s more, the consent must relate specifically to the purposes of why a company needs that data; companies cannot get consent for one purpose and then use the gathered personal data for another.

‘On top of this, consumers must be able to revoke their consent as easily as it was originally given because many consumers complain that it is easy to opt in to data gathering, but difficult to unsubscribe or opt out.’

Processes

Of those polled, 44 per cent says they have a process in place to ensure their firm is collecting data in the correct manner against 35 per cent who were ‘unsure’ and 21 per cent admitting they had no existing process in place

‘Businesses have to be seen to be compliant and this includes ensuring these sorts of processes are in place, which are intended to ensure customers are fairly treated,’ says Davies.

Further reading on GDPR

Owen Gough, SmallBusiness UK

Owen Gough

Owen was a reporter for Bonhill Group plc writing across the Smallbusiness.co.uk and Growthbusiness.co.uk titles before moving on to be a Digital Technology reporter for the Express.co.uk.

Related Topics

GDPR