Despite GDPR being just 85 days away from being implemented, up to 90 percent of small businesses in the UK are still unprepapared for the landmark data protection legislation, the Federation of Small Businesses (FSB) has warned.
Even though GDPR is less than three months away, 33 percent of small businesses in the UK haven’t started preparing for it, and only 35 percent are in the early stages of preparation.
According to a survey conducted by the FSB, only 8 percent of small businesses, that account for a a majority of 5.7 million private sector businesses in the UK, are truly prepared for GDPR, while the rest are either not preparing at all, are in early states of preparation, or are actively preparing for the landmark data protection legislation.
“The GDPR is the biggest shake-up in data protection to date and many small businesses will be concerned that the changes will be too much to handle. It’s clear that a large part of the small business community is still unaware of the steps that they need to take to comply and may be left playing catch-up,” said Mike Cherry, National Chairman of the FSB.
“With less than 100 days until the changes come into force, the attention now shifts to the Information Commissioner’s Office and whether it can effectively manage the demands of small businesses seeking advice and guidance. It is vital that smaller firms looking for this support, either by phone or the web, are able to get it easily.”
According to the FSB, more than half (52 percent) of all small businesses are planning to approach the Information Commissioner’s Office for advise on how to prepare for GDPR as there are fears that some of them will not be ready for GDPR by the time it will come into force.
“Non-compliance must initially be dealt with in a light touch manner instead of handing down tough penalties. There must be a willingness to play a supportive role in ensuring that small businesses can and are able to comply. The ICO will be critical to creating an environment which focuses on education and prevention and not punishment,” Cherry added.
The FSB added that complying with data protection laws is not only time-consuming but costly for small businesses as well. As many as 60 percent of small businesses told the group that complying with data protection either affected their profits or limited their workforce expansion plans.
“On average small firms will spend seven hours per month meeting their data protection obligations which equates to £1,075 per year. The direct cost of complying comes in at £508 per year. These costs will continue to grow with GDPR and further data protection regulation, such as ePrivacy, coming into force,” it noted.
Responding to the survey’s findings, Information Commissioner Elizabeth Denham said that even though GDPR would empower her office to impose large fines, the law is not only about fines but about “putting the consumer and citizen first, and rebalancing data relationships and trust between individuals and organisations.”
“The report tells us that many small and medium-sized organisations are preparing for the new data protection laws but some still have to make a start. The ICO’s website offers a number of ways in which organisations of all sizes, and all sectors, can self-serve to get the help they need. We will study the survey findings carefully to see if we can improve the help we offer.
“We also know that many representative bodies and sector associations are also providing excellent GDPR advice and support for their members,” she added.
This isn’t the first time that failure of small businesses in complying with data protection laws has been exposed. In October last year, a survey conducted by Duo Security in partnership with YouGov revealed that 45% of small business owners shared a belief that they will never be targeted by cyber criminals. Thanks to this notion, 38% of them told the surveyors that they would spend nothing at all to protect themselves from cyber security threats.
The Duo Security survey also revealed that while 47% of small business owners considered cyber security as too expensive, they viewed the lack of knowledge on combating cyber threats as a bigger issue compared to money or employee awareness.