Are SMEs ready for GDPR?

E-mail us

Your login

Use the link below to access your online portal.


GRENKE partner portal

GRENKE customer portal

We're here for you.

Would you like to know more about our services? 

Call us on: +44 (0) 1483 4017 00

Are SMEs ready for GDPR?

The General Data Protection Regulation (GDPR) is coming into force in May 2018 and looks set to transform how businesses gather and handle personal data.

Under the new rules, customers will have unprecedented control over what personal data a business can store and how it is used, and even request the erasure of information.

Firms must also receive clear and unambiguous consent when processing sensitive personal data, the definition of which will now extend to DNA, IP addresses and internet cookies.

Failing to comply with GDPR could be extremely costly, as firms could be hit with a fine, or up to £17 million or four per cent of their global turnover - whichever is highest. Add to that the reputational damage that would arise and it is clear that preparing for GDPR is a crucial issue right now.

A recent study by The Data Compliance Doctors found that 61 per cent of small and medium-sized enterprises (SMEs) in Britain are currently planning for GDPR.

But that in turn means nearly four in ten have yet to start preparing, despite the rule coming into place in just five months' time.

How prepared are SMEs?

Figures showed that 73 per cent of SMEs don't have detailed documentation to demonstrate their GDPR compliance. Furthermore, 64 per cent don't have a plan in place to deal with customer data breaches.

Just over half of those surveyed said they believe they have the right GDPR expertise in-house, yet that still means nearly one in two don't have enough internal knowledge about what the law means for them.

A separate study by Zurich showed that while GDPR would affect 85 per cent of SME owners, 44 per cent are not aware that they need to employ a data protection officer or a suitable equivalent from May.

This suggests that a staggering number of SMEs may be leaving themselves open to enforcement action from the Information Commissioner's Office, as well as hefty fines.

Average SME has spent 600 hours preparing for GDPR

While some of the above figures are alarming, it should be stressed that the majority of SMEs have begun getting ready for GDPR before 2018 arrives. 

Figures from The Data Compliance Doctors showed that in the last year alone, the average SME has spent 600 hours - more than 80 days - preparing for the legislation.

It's interesting to note which departments have been vocal about flagging up GDPR-related concerns. In fact, 43 per cent of SME owners revealed it was their marketing team that first questioned whether they were currently handling data in a GDPR-compliant way.

Business functions that SMEs are adjusting for GDPR

Meanwhile, 27 per cent of SMEs have recruited new staff to help them get ready for the legislation, while half of those polled have gone to third party experts and consultants to guide their preparations. Many SMEs have also ensured that internal departments have been trained up on what they need to know.

Which departments have received GDPR training?

As Lisa Chittenden of The Data Compliance Doctors points out, the findings are something of a "mixed bag in terms of GDPR preparation amongst SMEs". 

"Some have spent a lot of time and money to ensure they are in a good position come May 25th 2018," she observed.

"However, there are many thousands that have not even started, despite all the discussion and media stories in recent months."

Perhaps the arrival of 2018 will serve as a reminder to SMEs that time to get up to speed with GDPR is rapidly running out.

SMEs can ill-afford to shoulder the financial or reputational impact of breaching GDPR, so bosses should use these next five months to make the right preparations and hit the ground running.