SMEs taking cosmetic approach to GDPR compliance Shred-it research shows
A recent survey of SMEs commissioned by Shred-it has revealed a positive understanding and engagement with the principles of GDPR on the surface. While our findings show that 72% of UK SMEs report being ‘very aware’ of its requirements, 60% reported that the recent changes to data protection have had a ‘slight’ or ‘no’ impact on their business, while 8% did not know. The figures highlight a possible cosmetic approach to GDPR and raise concerning questions around the more complex aspects of full compliance.
The independent survey of 1439 SMEs was commissioned to gather insight on attitudes to data protection on the first anniversary of GDPR. It comprised a series of unprompted questions and covered a range of businesses in specific market sectors across the United Kingdom with 85% having 10 to 49 employees. When asked about GDPR readiness nine in ten rated themselves as a ‘4’ or ‘5’ out of 5; the main actions taken were reviewing policies (45%) and emailing customers for consent (35%). These are considered to be the lighter ‘front end’ aspects of GDPR compliance according to Shred-it’s experts.
GDPR impact and concerns
The survey data showed that one third (32%) of SMEs reported that GDPR has had a ‘great’ or ‘considerable’ impact on their business. When those businesses that had experienced challenges with GDPR compliance were probed further, they cited data breaches and disclosure requirements as the main challenges, with healthcare (27%) and real estate (25%) the main industries affected with those specific areas. Small proportions also reported issues with subject access requests, again with healthcare (28%) and real estate (15%) being the main industries affected.
Of the 10% that said they were ‘not quite’ or ‘not at all’ ready, who rated themselves as a ‘1’ to ‘3’ out of 5, 42% (54 businesses) said they have not been dealing with it; when asked what was holding them back, their unprompted reasons were that data protection authorities were ‘only interested in bigger companies’, it was ‘not applicable to us’, it was ‘too complicated’, and they were ‘too busy’. Of the 10%, two in five would only trust someone in-house to help them comply with GDPR – only one in ten would consider external support and only 4% would trust the data protection authority for assistance. The SMEs that would consider external support were unsure what services they needed and when they would intend to look for support.
GDPR enforcement actions to date
In the twelve months between 25th May 2018 and 2019 the Information Commissioner’s Office (ICO), the UK’s independent authority set up to uphold information rights in the public interest, has taken 59 enforcement actions. There have also been numerous examples of enforcement across different industries including high profile fines levied against large companies and penalty notices involving smaller businesses failing to pay the Data Protection Fee1
The survey seems to show two clear pictures emerging. One is where the majority of SMEs are genuinely engaged with the process of compliance; within that group there are many who believe they are already compliant but may have missed some key more complex parts of the GDPR. It is the minority in that group who have recognised its greater challenges and are wrestling with its more complex areas. The other is one where some SMEs recognise they are not ready, seem unwilling to address the issue of GDPR compliance and are reluctant to seek support in any form to help them. When the relevant authority’s fines become more common headlines across the UK, we expect that views may change about what compliance really means.