UK biz: Oh (yawn) GDPR? Was that *next* May? – survey

UK businesses are risking damaging fines by ignoring the implications of upcoming data protection rules, according to a new survey.

A poll of 2,000 businesses by YouGov exposed a significant lack of awareness and urgency among many businesses concerning the General Data Protection Regulation (GDPR), which comes into effect on 25 May 2018. Only three in every 10 (29 per cent) have started preparing for the new data governance rules.

The majority of British businesses are unaware of the new wide-ranging data protection rules, despite 18 per cent admitting the maximum fine for non-compliance would force them out of business and 21 per cent saying it would lead to large-scale redundancies.

GDPR – which will replace existing data protection laws – represents the biggest change in 25 years to how businesses process personal information, according to law firm Irwin Mitchell.

Under the new rules, the maximum fine for data breaches in the UK will rise from £500,000 to €20m or 4 per cent of global turnover, whichever is larger. Despite this severe sanction that affects virtually all businesses, only 38 per cent of those quizzed said they were aware of the rules and 71 per cent are unaware of the new fines.

Joanne Bone, partner and data protection expert at Irwin Mitchell, the firm that commissioned the survey, said: “These results are concerning because with next May’s deadline fast-approaching and with so much at stake, our study reveals there’s a very real possibility that the majority of organisations will not be compliant in time.”

Notification of certain data breaches where there is an impact on privacy, such as a customer database being hacked, must be made to regulators with 72 hours under GDPR. Only one quarter (26 per cent) of businesses expressed confidence that they would be able to detect a data breach within their organisation.

Other changes under the GDPR include an obligation to be more transparent about how personal data is used. Businesses will also need to have processes in place in case an individual asks for all their personal data to be erased.

Irwin Mitchell believes the low level of awareness of GDPR is caused by a number of misconceptions about the new rules, as well as a certain amount of complacency.

A third of businesses reckon GDPR will have no impact, claiming that the regulation is not an issue for their sector. A further 22 per cent claim it isn’t relevant to their organisation because they are not a consumer business.

According to Irwin Mitchell, the rules encompass a wide range of personal data including employee data, payroll and pension records. They also apply to sole traders and partnerships.

Irwin Mitchell’s Bone added: “Contrary to popular belief, personal data is not just consumer information. It is hard to think of a business today that does not use personal data. Whether you have employee data, customer data or supplier data – if the data relates to an individual you will be caught by the new data protection laws.”

The survey also found that 19 per cent view the new data protection rules as an opportunity and 14 per cent said the rules will have a positive impact on their organisation. ®