9 in 10 SME owners still lacking information on GDPR compliance

It may have been a whole year since the GDPR (general data protection regulation) laws came into effect, but new research by business insurer Hiscox has found that business owners still aren’t completely up to speed with what is required of them under the new regulations.

Among the eye-opening findings, the study unearthed that 9 in 10 SME owners still don’t know the main new rights that GDPR gives consumers and 39% don’t know who GDPR affects. These are concerning statistics considering the vast majority of businesses will be dealing with consumer data on a day-to-day basis to some extent.

This lack of understanding perhaps suggests that the efforts made to educate businesses on GDPR compliance were not as effective as hoped. When survey respondents were quizzed on what they found most annoying online in 2018, constant communication about GDPR topped the list, alongside PPI calls and website pop-ups. Is it possible that the abundance of information available was actually more irritating than insightful – failing to engage the intended audience?

What should businesses be doing to comply with GDPR?

The purpose of GDPR is to improve regulation of data privacy and security in the EU, including how businesses collect data, how they use it and how they store it. It aims to provide the general public with more control over their personal data and to encourage businesses to be more transparent about how they are using consumer data.

According to the GDPR directive, ‘personal data’ refers to any information related to a person, such as a name, photo, email address, bank details, social media information, location details, medical records, or even a computer IP address.

Some of the key actions that have been taken that the public will be most aware of are the introduction of updated opt-in cookie consent pop-ups on websites and the distribution of emails informing consumers of updated privacy policies and their usage of personal data.

A lot of businesses have also made the decision to hire a dedicated GDPR officer, who takes responsibility for overseeing the company’s data protection strategy. This individual ensures the business is complying with GDPR by educating all employees on requirements, conducting audits to ensure compliance, maintaining records of data processing activities and more.

Are businesses complying?

According to a report released by DLA Piper in February 2019, between May 2018 when GDPR came into action and January 2019 there were nearly 60,000 reports of data breaches, but only 91 fines had been issued. The highest and most notable fine (€50 million) was made against Google for failing to acquire users’ consent for advertising.

The consequences of a GDPR breach

The Hiscox study found that 96% of SME owners didn’t know what the maximum fine is for breaching GDPR, despite the fact that a breach could potentially land them in hot water financially.

If a business is found guilty of not complying with GDPR they could face a fine of up to €20 million or 4% of the company’s annual turnover (whichever is higher). These fines can be issued for failing to report a data breach within 72 hours of becoming aware of it or for failing to integrate data protection policies.

All fines are administered on a case-by-case basis, however, and it’s unlikely that many businesses will be fined the maximum amount unless it is a severe case of infringement. Supervisory authorities have the scope to impose smaller fines for less serious cases or to issue warnings, reprimands and compliance with data subject requests.

What next?

There is still time – and a continued necessity – for business owners to get up to speed with the new laws if they aren’t already. Business owners should consider GDPPR compliance as an ongoing challenge that requires continued attention.

Despite the tumultuous journey that the UK has been through regarding Brexit, as it stands, it looks as though the UK is set to leave the EU in the coming months. This doesn’t mean that the nation will be abandoning GDPR, however, as it has now been integrated into domestic law and will also remain incredibly important for anyone doing business with EU countries.

While it may appear that GDPR is something that effects global organisations such as the Googles of the world, it’s just as crucial for smaller businesses to ensure they’re staying on the right side of the law. If you think there’s a chance that your business isn’t complying with GDPR, now’s the time to get up to speed.

+ posts

Meet Stella


Related articles

The Metaverse: Virtually a reality?

Metaverses have the potential to enable virtual worlds to expand beyond the gaming genre to encompass all manner of social and commercial activities.

Cybersecurity and Cloud: A Look Back at 2022 and What to Expect in 2023

Businesses are continuously reassessing their resources and options to fill their tech stack. In this competitive digital landscape, the innovative use of technology will be something that would generate a competitive advantage for organisations.

Shopping for Data: Ensuring a seamless user experience 

This combination can drive a business’s data culture and provide a structured approach for businesses to benefit from data intelligence across their operations, with only a few clicks.

Unveiling the Top 10 Cybersecurity Threats to Watch Out for in 2023

As technology advances, so do cybercriminals' methods to gain unauthorised access to sensitive information. With the increasing reliance on technology in both personal and professional settings, it is crucial to stay informed about the top cybersecurity threats to watch out for in 2023.

Is sustainability ‘enough’ from a Cloud perspective?

The idea of uprooting entire sustainability initiatives that took years to formulate and deploy is unsettling for businesses but, in truth, it doesn’t have to be so revolutionary.

Subscribe to our Newsletter