2.1 million small businesses ‘yet to start a plan’ for the GDPR

More than two million UK small and medium-sized enterprises (SMEs) have not yet begun preparing for the upcoming General Data Protection Regulation (GDPR), new research has revealed.

According to a far-reaching study carried out by Atomik Research, approximately 40 per cent of SMEs have made no preparations whatsoever for the new legislation – which will come into force on 25 May 2018.

Generally speaking, the survey found “a mixed bag” in terms of GDPR preparation among the nation’s SMEs, with 61 per cent of respondents claiming that they were “in the midst of planning.”

Crucially, however, a frightening 64 per cent of those quizzed said that they had no plan in place for preventing – or rectifying – customer data breaches once the new legislation was in force.

This is despite the fact that it has been widely publicised that fines dished out by the Information Commissioner’s Office (ICO) for such breaches will be incredibly high – and potentially very damaging for SMEs that fall foul of the law.

In fact, for serious data breaches, the ICO will have the power to fine SMEs up to four per cent of their global turnover or €20 million (£17.7 million), whichever is higher.

Of those SMEs which said they had begun preparations for the new legislation, more than half (54 per cent) said that they had acquired the right ‘in-house expertise’ they would need in order to be fully compliant.

27 per cent said that they had hired new staff specifically to help them prepare for the GDPR, while 44 per cent said that they had reorganised operational responsibilities and processes within the company ahead of the GDPR’s introduction.

On average, the survey found that SMEs had spent more than 80 days – or 600 hours – preparing for the new legislation.