Whilst nearly two thirds of UK SMEs are now planning for GDPR (61%), a worrying two out of five, (equivalent to 2.1m small businesses), have not started to plan for next year’s new data compliance legislation.
When asked who is leading the preparation, four in ten (43%) business owners said marketing staff had raised concerns about their current ability to handle and use data in accordance with GDPR. In response, 44% had reorganised operational responsibilities and processes.
The most common business function that SMEs are adjusting for GDPR is sales (57%), followed by IT (55%) and marketing (45%). These groups were also the most likely to have received GDPR training (sales and IT both 39%, and marketing 35%).
Over a quarter (27%) of SMEs also said they had hired new staff to help prepare for GDPR, spending, on average, £13,300 on salaries so far. As a result, over half (54%) now feel they have the right GDPR expertise in-house. Half of those questioned have also invested in expert guidance or consultancy, spending almost £8,000 each on fees to date.
Worryingly, despite this spend, nearly three quarters (73%) do not have detailed documentation to evidence their GDPR compliance and over two thirds (64%) of business have no plan in place for customer data breaches.
When asked about their plans to comply to GDPR, most business owners (69%) plan to contact customers directly for consent to retain and process their data. Most businesses will use a combination of methods with 70% doing it via email, 43% by phone and 38% by letter. Nearly two thirds (61%) also plan to use the ‘legitimate interest’ route to comply.
Most business owners are scheduling their GDPR compliance outreach between 1 and 15 January 2018.
Lisa Chittenden, Data Compliance Doctor at The Data Compliance Doctors comments: “Our survey has revealed a mixed bag in terms of GDPR preparation amongst SMEs. Some have spent a lot of time and money to ensure they are in a good position come May 25, 2018. However, our figures show there are many thousands that have not even started, despite all the discussion and media stories in recent months. But, with six months to go, it’s not too late to get yourself up to speed.
“I’d also caution with those businesses planning to contact customers direct for data consent, as opt-in communications can dramatically reduce the number of customers you can talk to. However, there’s a variety of other ways to make data eligible for marketing use - some of which provide greater scope to keep historic information. Our figures reveal that a third of business owners are unsure of the different laws relating to mail versus electronic communications for this purpose. A further third are also unaware of the different permission types, so I’d encourage them to seek expert advice or do some research to ensure they’re fully compliant,” added Lisa.