A new survey has highlighted that a majority of UK businesses are not adequately prepared for GDPR due to misconceptions that exist about the new rules.
71% of UK businesses are unaware of fines under the GDPR and a number of them fear they would go out of business if forced to pay the maximum fines.
A YouGov survey of over 2,000 UK businesses has revealed some alarming facts about their readiness for the upcoming data protection law which will come into force less a year from today. The GDPR proposes to extensively reform existing cyber-security and data protection practices and impose heavy fines on erring businesses that fail to protect customer data.
Among other things, the GDPR will impose fines of either €20 million or 4 percent of a company's global turnover, whichever will be higher. Such fines will be much higher compared to a maximum of £500,000 imposed by the existing Data Protection Act.
Out of 2,000 businesses covered under the survey, as many as 71% of them are unaware of the fines under GDPR. Of those who are aware, 21% will make small-scale headcount reductions and 10% will cut staff by significant numbers to cover large fines under the GDPR. Only 29% of all businesses have started preparing for the GDPR, which has led experts to fear that a majority of them will not be ready when the new rules come into effect.
“These results are concerning because with next May’s deadline fast-approaching and with so much at stake, our study reveals there’s a very real possibility that the majority of organisations will not be compliant in time,” said Joanne Bone, partner and data protection expert at Irwin Mitchell.
Rashmi Knowles, who is the field CTO at RSA, had also expressed a similar concern last week. "Organisations can no longer see data breaches as an abstract tech or IT problem; boycotts and penalties are serious business risks and should be a board-level business issue. Make no mistake, there will be businesses that will never fully recover from such a fine if they don’t go out of business entirely. We will all know of the EU General Data Protection Regulation then,” she said.
GDPR will make it mandatory for companies to conduct data privacy impact assessments to identify risks and mitigations before engaging in high-risk activities, obtain clear affirmative consent from involved parties before initiating data collection activities, identify all personal data, assess how they are stored and for what purpose they are used to prepare for audits and obtain explicit parental consent for any data collected about minors.
At the same time, the GDPR will also require UK businesses to report data breaches to the regulator and to affected customers within 72 hours, but many businesses believe they will not be able to abide by the said rule. According to the YouGov survey results, only 26% of surveyed businesses expressed confidence on reporting data breaches to the regulator within 72 hours. Another 34% said they are confident but not certain about reporting breaches inside 72 hours of them occurring.
“It is important to recognise that taking a proactive approach towards GDPR compliance will potentially reap financial benefits. Good data governance can build customer trust and the right permissions can also help businesses take advantage of the Big Data Revolution and enable them to commercialise their data for competitive advantage,” said Stuart Padgham, Partner & National Head of Commercial at Irwin Mitchell.
While GDPR compliance may play a big part in boosting cyber security in the country and avoiding data breaches, what may impact universal compliance are a number of misconceptions about the upcoming regulations. One in three UK businesses feels that GDPR will have no impact on them and 22% of them feel GDPR rules won't apply to them since they do not handle consumer data. In truth, along with consumer data, the GDPR will also apply to employee data, payroll, and pension records as well as to sole traders and partnerships.
“Contrary to popular belief personal data is not just consumer information. It is hard to think of a business today that does not use personal data. Whether you have employee data, customer data or supplier data – if the data relates to an individual you will be caught by the new data protection laws,” Joanne Bone added.