Programmatic Lunch

Almost half of UK businesses expect to be fined for GDPR non-compliance

Tim Maytom

New research by data privacy experts Ensighten suggests that nearly half (45 per cent) of UK businesses have put money aside to cover possible fines connected to GDPR non-compliance. The legislation comes into effect on 25 May.

The research investigated UK marketers' attitudes to data governance, and found that 61 per cent of respondents would apply for an extension on the deadline if they had the choice, due to mounting fears that they will not meet GDPR requirements in time.

Just 26 per cent of UK marketers stated that they were "very confident" that their data governance procedures were robust enough to be deemed compliant. The majority of businesses were doubtful that they will meet the full standards on time, while seven per cent admitted not having implemented any GDPR-relation actions yet, with less than a month until the deadline.

For those marketers that are underway with their GDPR preparations, 63 per cent stated that they have new policies in place to increase the quality of data they will receive after 25 May. However, fewer than half (47 per cent) of marketers are enforcing new policies on partner data acquisition, which may leave them exposed to GDPR non-compliance.

"Unfortunately, we found that brands are aware, but still uncertain in their final month of GDPR preparation," said Ian Woolley, chief revenue officer at Ensighten. "The research shows that 45 per cent of UK businesses have set money aside in anticipation of regulatory fines. The good news is that brands still have time to deploy and optimise customer privacy and consent options on their websites."

One of the key reasons that Ensighten found behind this lack of preparation was an absence of accountability, with little consensus among businesses regarding who should be in charge of GDPR overall. According to respondents, 32 per cent pointed to the CEO, 26 per cent to the chief data officer and 22 per cent to the chief marketing officer. Only 14 per cent cited the data protection officer as the risk manager, yet this is a GDPR-mandated position where organisers perform regular and systematic processing of data subjects on a large scale.

"Educating consumers on how their personal data is used and why their permission is needed is essential to building consumer trust and gaining their opt-in consent," said Woolley. "GDPR is not just a legal hurdle to jump. Whilst brands are putting money aside for fines, they should not underestimate the damage to their reputation and business from not educating customers now."