Three-quarters of SMEs risk huge fines by failing to prepare for data laws

Typing at computer

With less than nine months to go until the introduction of strict new data protection and privacy laws, three-quarters of small and medium-sized enterprises have yet to even start preparing for the new regulation, research from Close Brothers reveals. Just one in four SMEs (25.4%) have begun their compliance preparations, a survey conducted by Close Brothers discloses, despite swingeing fines and penalties for businesses that fall foul of the rules.

The General Data Protection Regulation (GDPR), a European Union directive, comes into force in the UK on 25 May 2018, and includes provisions for the EU to levy huge penalties on businesses found guilty of a compliance failure. In the worst cases, this could see firms fined up to €20m or 4% of their annual global turnover.

However, with time running out for businesses to ensure compliance, Close Brothers’ research shows that currently, just one in three (33.3%) SMEs are aware of GDPR’s implications, even though they are covered by the majority of its provisions.

David Thomson of Close Brothers warned the research showed a dangerous lack of preparation for a new data protection regime that may not be straightforward to comply with.

“The GDPR regime includes requirements for new processes such as the employment of data controllers, privacy impact assessments and greater choice for customers, including the right to be forgotten – businesses will also be required to disclose all data breaches to regulators,” David said. “Some of the rules sound deceptively simple, but many firms will struggle to cope because they don’t even have a clear idea of what data they currently hold on customers, or where and how it is stored.”

Close Brothers’ research suggests many SMEs have a great deal of work to do in the short space of time remaining before the GDPR’s implementation. While the survey includes some positive findings – for example, 73% of SMEs say they don’t share customer data with third parties – many businesses simply do not know whether they would be compliant with the new law.

“All organisations must take the GDPR seriously and SMEs are no exception,” added Close Brothers’ David Thomson. “Making an investment now in order to prepare and protect your business is essential if you do not want to risk incurring significant financial penalties – or the major reputational damage that a public breach of the new regulation would undoubtedly cause.”