UK SMEs not yet sufficiently prepared for GDPR

Posted on 7 Nov 2017 by Jonny Williamson

With the General Data Protection Regulations set to be implemented in May 2018, the UK’s SME community remains unsure about many related issues, survey shows.

GDPR is a regulation which intends to unify data protection within the European Union – image courtesy of ARL Public Affairs

The critical issues include ‘personal data’, their customers’ new and extended rights, and whether the permissions they currently have to contact customers will meet the requirements of the General Data Protection Regulations (GDPR).

The results were obtained from the Close Brothers Business Barometer, a quarterly survey that questions more than 900 UK and RoI SME owners and senior management across a range of sectors and regions.

Neil Davies, CEO at Close Brothers Asset Finance, explained: “GDPR is intended to strengthen and unify data protection for individuals within the EU, but will also affect the UK regardless of Brexit.

“It will ensure that all personal data has to be managed in a safe and secure way; has to be gathered lawfully; is only used for the purposes for which it was collected, and must be accurate and up-to-date.

“The figures from the Barometer tell us that uncertainty persists on a number of key compliance issues and SMEs are concerned about the implications for them and their business.”

Less than a third (31%) of SMEs answered ‘yes’ to the question ‘are you clear what ‘personal data’ means in a business context?’, with 50% saying ‘sort of’ and the remaining 19% ‘no’.

Davies added: “On a positive note, 73% of firm owners categorically stated that they do not share customers’ personal data with third-parties.

“There are, however, companies openly admitting to sharing customers’ details (8%) and a further 18% conceding they were unsure of whether they do or not.”

Extended rights

Less than half (48%) of respondents answered ‘yes’ to the question ‘do you understand the new and extended rights that customers have when it comes to collecting and utilising their personal information?’

Davies explained: “The GDPR’s definition of personal data makes it clear that even online identifiers, for example an IP address, can be personal data.

“The new definitions provide for a wide range of personal identifiers to constitute personal data, reflecting changes in technology and the way organisations collect information about people.

“This example shows just how detailed the new regulations are going to be and it is incumbent on business owners to understand what this means to them.”

Despite the lack the clear understanding of the extended rights customers will have, 58% of SMEs are confident that the permissions they currently have to contact customers will meet the requirements of GDPR. That still leaves more than 40% of firms who are unconvinced about their readiness ahead of May 2018.

Of those polled, 44% said that they have a process in place to ensure their firm is collecting data in the correct manner against 35% who were ‘unsure’ and 21% admitting they had no existing process in place