UK SMEs have spent 80 days preparing for GDPR, but many are still yet to make plan

GDPR data centreUK small and medium-sized enterprises (SMEs) have spent more than 80 days – or 600 hours – on average of work preparing for the implementation of the General Data Protection Regulation (GDPR) so far.

61 per cent of UK SMEs are in the midst of planning for GDPR, but equivalent to 2.1m small businesses are yet to start a plan, according to a survey of 500 SME owners commissioned by The Data Compliance Doctors and conducted by Atomik Research. Worryingly, 64 per cent of businesses have no plan in place for customer data breaches.

“Our survey has revealed a mixed bag in terms of GDPR preparation amongst SMEs,” said Lisa Chittenden, data compliance doctor at The Data Compliance Doctors.” Some have spent a lot of time and money to ensure they are in a good position come 25 May 2018. However, our figures show there are many thousands that have not even started, despite all the discussion and media stories in recent months. But, with six months to go, it’s not too late to get yourself up to speed.”

43 per cent of marketing staff have raised concerns about their ability to handle and use data to adhere to GDPR, with 44 per cent reorganising operational responsibilities and processes to deal with this.

It was also found that the business function that the most focus was being placed on adjustment is sales, with 57 focused on making it GDPR-compliant. This is followed by IT at 55 per cent and marketing at 45 per cent.

Despite this, and 54 per cent feeling they have the right staff in place, 73 per cent do not have any documentation to evidence their compliance to the regulation.

69 per cent of businesses say they plan to contact customers directly for consent to retain and process their data. 70 per cent will do this via email, 43 per cent by phone and 38 per cent by letter. 61 per cent will take a ‘legitimate interest’ route.

“I’d also caution with those businesses planning to contact customers direct for data consent, as opt-in communications can dramatically reduce the number of customers you can talk to,” said Chittenden. “However, there’s a variety of other ways to make data eligible for marketing use – some of which provide greater scope to keep historic information.

“Our figures reveal that a third of business owners are unsure of the different laws relating to mail versus electronic communications for this purpose. A further third are also unaware of the different permission types, so I’d encourage them to seek expert advice or do some research to ensure they’re fully compliant.”