Two in five SMEs unprepared for data compliance laws
TWO in five small- and medium-sized enterprises (SMEs) have not started to plan for next year’s new data compliance legislation, a poll shows.
The General Data Protection Regulation (GDPR) will overhaul how businesses process and handle data when it comes into force on 25 May 2018.
An Atomik Research survey of 500 SME owners, commissioned by The Data Compliance Doctors, found the average UK SME has spent over 80 days (600 hours) preparing for the legislation over the past year.
When asked who is leading the preparation, four in 10 (43 per cent) said marketing staff had raised concerns about their current ability to handle and use data in accordance with GDPR. In response, 44 per cent had reorganised operational responsibilities and processes.
The most common business function that SMEs are adjusting for GDPR is sales (57 per cent), followed by IT (55 per cent) and marketing (45 per cent). These groups were also the most likely to have received GDPR training.
Meanwhile, over a quarter (27 per cent) of SMEs said they had hired new staff to help prepare for GDPR, spending an average of £13,300 on salaries so far, and as a result 54 per cent now feel they have the right expertise in-house.
Another half have invested in expert guidance or consultancy, spending almost £8,000 each on fees to date, yet 73 per cent do not have detailed documentation to evidence their GDPR compliance. A further 64 per cent have no plan in place for customer data breaches.
When asked about their plans to comply with the legislation, 69 per cent said they plan to contact customers directly for consent to retain and process their data. Of these, 70 per cent said they would contact customers via email, 43 per cent by phone and 38 per cent by letter.
Nearly two thirds (61 per cent) plan to use the “legitimate interest” route to comply – one of six lawful grounds for personal data processing.
Lisa Chittenden, data compliance doctor at The Data Compliance Doctors, said she would caution against contacting customers directly for data consent because opt-in communications can dramatically reduce the number of customers a business can talk to.
She said there is a variety of other ways to make data eligible for marketing use, some of which provide greater scope to keep historic information.
Chittenden added: “Our survey has revealed a mixed bag in terms of GDPR preparation amongst SMEs. Some have spent a lot of time and money to ensure they are in a good position come 25 May 2018.
“However, our figures show there are many thousands that have not even started, despite all the discussion and media stories in recent months. But, with six months to go, it’s not too late to get yourself up to speed.”