May 17, 2017

More than half of UK business owners unaware of incoming General Data Protection Regulation

London 17 May 2017 - Eighty-four per cent of UK small business owners and 43% of senior executives of large companies are unaware of the forthcoming General Data Protection Regulation, according to Shred-it’s seventh annual Security Tracker research, conducted by Ipsos.

The General Data Protection Regulation (GDPR) is an important new piece of legislation, which will replace existing European data protection laws from May 2018. Its purpose is to bring greater strength and consistency to the data protection given to individuals within the European Union (EU).

The Security Tracker survey also found that only 14% of small business owners and 31% of senior executives were able to correctly identify the fine associated with the new regulation – up to €20 million or 4% of global turnover. This is despite a large proportion of senior executives (95%) and small business owners (87%) claiming to have at least some understanding of their industry’s legal requirements.

Businesses which are unaware of the forthcoming legislation and its implications are not only putting themselves at risk of severe financial penalties, but also the reputational damage caused by adverse publicity associated with falling foul of the law. This can often have a greater impact than the fine itself. Research shows that 64% of executives agree that their organisation’s privacy and data protection practices contribute to reputation and brand image[1].  

Of those respondents who claim to be aware of the legislation change, only 40% of senior executives have already begun to take action in preparation for the GDPR, in spite of 60% agreeing that the change in legislation would put pressure on their organisation to change its policies related to information security. 
The survey also highlights that companies feel the UK Government needs to take more action. Forty-one per cent of small business owners (an 8% increase from 2016) believe that the Government’s commitment to information security needs improvement.

Robert Guice, Senior Vice President Shred-it EMEAA, said: “As we approach May 2018, it’s crucial that organisations of all sizes begin to take a proactive approach in preparing for the incoming GDPR.
“From implementing stricter internal data protection procedures such as staff training, internal processing audits and reviews of HR policies, to ensuring greater transparency around the use of personal information, businesses must be aware of how the legislation will affect their company to ensure they are fully compliant.”
“Governmental bodies such as the Information Commissioner’s Office (ICO), must take a leading role in supporting businesses to get GDPR ready, by helping them to understand the preparation needed and the urgency in acting now.

“The closer Government, information security experts and UK businesses work together, the better equipped organisations will find themselves come May 2018.” 

Notes to editors

The EU’s General Data Protection Regulation will come into effect on 25 May 2018 in the UK. It is the first ever truly global piece of data protection regulation and brings into play the concept of a ‘one-stop shop’ for data protection, as any lead data authority in the EU will be able to take action against an organisation in their respective jurisdiction.

The legislative changes will see stricter rules introduced for companies around securing consent to use personal information, as well as additional requirements for some organisations such as the introduction of a nominated data protection officer and privacy risk assessments for certain projects or activities.
Whatever the situation regarding the UK’s EU membership, the GDPR will still apply in EU markets where UK companies do business and those companies will still be expected to comply with the legislation’s requirements in these countries.

About the survey:

Ipsos is one of the largest and best known research companies in the world. With a direct presence in 60 countries its clients benefit from specialist knowledge drawn from five global practices: public affairs research, advertising testing and tracking, media evaluation, marketing research and consultancy, customer satisfaction and loyalty.

Ipsos conducted a quantitative online survey of two distinct sample groups:
Small Business Owners (SMO) in Canada (n=1,001), the United States (n=1,000), and the United Kingdom (n=1,001), all of which have fewer than 100 employees.

C-Suite Executives in Canada (n=100), the United States (n=100), and the United Kingdom (n=100). In Canada, C-Suite executives work for companies with a minimum of 100 employees, with the minimum threshold in the U.K. being 250 employees, and 500 employees in the United States.
Data for Small Business Owners is weighted by region. Data for C-Suite Executives is unweighted as the population is unknown.

The precision of Ipsos online surveys are calculated via a credibility interval.  In this case, the Canada SBO sample is considered accurate to within +/- 3.5 percentage points had all Canadian small business owners been surveyed, and the Canada C-Suite sample is accurate to within +/- 11.2 percentage points had all Canadian C-Suite executives been surveyed.

The fieldwork was conducted between February 15 and February 28, 2017.
Every year, Shred-it develops the State of the Industry Report to highlight common Information Security trends and emerging challenges based on the Security Tracker’s key findings. Now in its fifth year, this report provides comprehensive insights and tips on how businesses can protect and mitigate risks when it comes to information security. Download the current report to learn more about information security trends, as well as ways in which businesses, large and small, can protect their data.

About Shred-it
Shred-it is a world-leading information security company providing information destruction services that ensure the security and integrity of our clients' private information. Shred-it, a Stericycle solution, operates in 170 markets throughout 19 countries worldwide, servicing more than 400,000 global, national and local businesses. For more information, please visit