It may have been a whole year since the GDPR (general data protection regulation) laws came into effect, but new research by business insurer Hiscox has found that business owners still aren’t completely up to speed with what is required of them under the new regulations.

Among the eye-opening findings, the study unearthed that 9 in 10 SME owners still don’t know the main new rights that GDPR gives consumers and 39% don’t know who GDPR affects. These are concerning statistics considering the vast majority of businesses will be dealing with consumer data on a day-to-day basis to some extent.

This lack of understanding perhaps suggests that the efforts made to educate businesses on GDPR compliance were not as effective as hoped. When survey respondents were quizzed on what they found most annoying online in 2018, constant communication about GDPR topped the list, alongside PPI calls and website pop-ups. Is it possible that the abundance of information available was actually more irritating than insightful – failing to engage the intended audience?

What should businesses be doing to comply with GDPR?

The purpose of GDPR is to improve regulation of data privacy and security in the EU, including how businesses collect data, how they use it and how they store it. It aims to provide the general public with more control over their personal data and to encourage businesses to be more transparent about how they are using consumer data.

According to the GDPR directive, ‘personal data’ refers to any information related to a person, such as a name, photo, email address, bank details, social media information, location details, medical records, or even a computer IP address.

Some of the key actions that have been taken that the public will be most aware of are the introduction of updated opt-in cookie consent pop-ups on websites and the distribution of emails informing consumers of updated privacy policies and their usage of personal data.

A lot of businesses have also made the decision to hire a dedicated GDPR officer, who takes responsibility for overseeing the company’s data protection strategy. This individual ensures the business is complying with GDPR by educating all employees on requirements, conducting audits to ensure compliance, maintaining records of data processing activities and more.

Are businesses complying?

According to a report released by DLA Piper in February 2019, between May 2018 when GDPR came into action and January 2019 there were nearly 60,000 reports of data breaches, but only 91 fines had been issued. The highest and most notable fine (€50 million) was made against Google for failing to acquire users’ consent for advertising.

The consequences of a GDPR breach

The Hiscox study found that 96% of SME owners didn’t know what the maximum fine is for breaching GDPR, despite the fact that a breach could potentially land them in hot water financially.

If a business is found guilty of not complying with GDPR they could face a fine of up to €20 million or 4% of the company’s annual turnover (whichever is higher). These fines can be issued for failing to report a data breach within 72 hours of becoming aware of it or for failing to integrate data protection policies.

All fines are administered on a case-by-case basis, however, and it’s unlikely that many businesses will be fined the maximum amount unless it is a severe case of infringement. Supervisory authorities have the scope to impose smaller fines for less serious cases or to issue warnings, reprimands and compliance with data subject requests.

What next?

There is still time – and a continued necessity – for business owners to get up to speed with the new laws if they aren’t already. Business owners should consider GDPPR compliance as an ongoing challenge that requires continued attention.

Despite the tumultuous journey that the UK has been through regarding Brexit, as it stands, it looks as though the UK is set to leave the EU in the coming months. This doesn’t mean that the nation will be abandoning GDPR, however, as it has now been integrated into domestic law and will also remain incredibly important for anyone doing business with EU countries.

While it may appear that GDPR is something that effects global organisations such as the Googles of the world, it’s just as crucial for smaller businesses to ensure they’re staying on the right side of the law. If you think there’s a chance that your business isn’t complying with GDPR, now’s the time to get up to speed.