Less than one in ten UK SME bosses understand new GDPR rules

Nearly half of at small and medium sized business owners have not heard of the EU General Data Protection Regulation.

Less than one in ten (nine per cent) SME owners in the UK fully understands what the forthcoming EU General Data Protection Regulation (GDPR) actually means for their business or have taken the appropriate steps to prepare themselves for it, according to the latest Aldermore small and medium sized business owners (SMEs) Future Attitudes study.

The new framework, which is designed to strengthen and unify data protection for all individuals within the European Union (EU), will hand out tough punishments for those who fail to comply with new rules around the storage and handling of personal data. The regulation comes into force in May 2018, but nearly half (46 per cent) of all SMEs bosses, representing more than 2.5million firms in the UK have not even heard of it.

Furthermore, the GDPR will also introduce a duty on all organisations to report certain data breaches to the relevant supervisory authority and in some cases to the individuals affected, as well as giving customers the right to be forgotten which requires firms to erase all their information. This is a considerable step change and will affect many small and medium-sized organisations, particularly as recent industry figures show that two thirds (66 per cent) of SMEs have been a victim of cyber-crime since their launch.

With data breach threats becoming an ever-growing concern for business leaders, Aldermore’s report, which surveyed over a thousand senior decision makers across the UK, reveals that more than a fifth (22 per cent) of SMEs and their customers have been directly affected by a data breach in the past two years. More than half (55 per cent) of business owners are concerned about cyber-crime and the impact it might have on their firms, a further two in five (39 per cent) SME bosses also anticipating that a cyber-attack could have a significant financial impact on their business.

Surprisingly only a third (34 per cent) of businesses see protection against cyber-crime as a high priority and have taken steps to protect themselves, considering cyber-crime can involve something as simple as having business emails hacked and subsequent data stolen or intercepted. A further fifth (22 per cent) realise it is an important issue but haven’t found the time to look into appropriate safeguards, with a further one in ten (12 per cent) saying that they cannot afford to shield themselves adequately.

What is more surprising is that a quarter (25 per cent) business owners say protection against cyber-attacks is not an important issue for their businesses. The research also reveals that only a half (49 per cent) of UK SMEs currently have data breach policies in place around the use of email, internet and mobile devices.

Carl D’Ammassa, group managing director of business finance at Aldermore, says, ‘The GDPR is the biggest shake-up in data protection to date and the results are worrying when looking at the amount of businesses that are unaware of the impact it will have on them. Data privacy, the appropriate use of customer information and breach notifications all need to be taken incredibly seriously. This is made especially apparent when one considers the increased sanctions businesses face if they don’t keep to the new regulations, include regular data protection audits, and fines of up to £20 million or 4 per cent of their annual turnover for the most serious violations.

‘Moreover, we hope the EU’s new regulation achieves what it sets out to do and strengthens the resistance of businesses against the threat of a data breach. SMEs need to be clear on the use of customer information, ensure they are GDPR ready as soon as they can be and are aware of the impact this will have once it comes into effect in May next year.

‘The danger of cyber-attacks for all businesses, not just SMEs, is an ever present one and is something that is likely to increase as economic activity moves to the digital world. With these attacks having a significant financial and reputational impact on a business, it is crucial all SMEs take adequate time to analyse and protect themselves against this threat.’

Further reading on GDPR

Owen Gough, SmallBusiness UK

Owen Gough

Owen was a reporter for Bonhill Group plc writing across the Smallbusiness.co.uk and Growthbusiness.co.uk titles before moving on to be a Digital Technology reporter for the Express.co.uk.

Related Topics


One reply on “Less than one in ten UK SME bosses understand new GDPR rules”

  1. Nearly every SME has a website that captures some information from users – email address, phone number, etc. GDPR requires all private or tracking data to be gathered after the user has been provided with an understandable explanation of the benefits of providing this data, how it will be used and protected, and most importantly users must give their consent and be given an easy way to revoke their consent later.

    This aspect of the GDPR is the easiest way for a regulator to test to see if a company has put in any effort toward GDPR compliance. By simply visiting the company’s website and signing up for something, a regulator can see if GDPR notice and consent rules are being followed.

    Creating the IT to administrate all of the complexities of GDPR notice and consent is beyond most SMEs capability, which is why my company created ConsentIQ, a software as a service solution for SMEs that can be integrated into websites with just a few lines of code.

Comments are closed.