A recent survey commissioned by Shred-it has revealed “a positive understanding and engagement” with the principles of the General Data Protection Regulation (GDPR) among SMEs on its first anniversary. The findings show that 72% of UK SMEs report being ‘very aware’ of the GDPR’s requirements. However, 60% reported that the recent changes to data protection have had a ‘slight’ or ‘no’ impact on their business, while 8% didn’t know. The figures highlight a possible cosmetic understanding of the GDPR and key areas of concern around the more complex aspects of full compliance.
The independent survey of 1,439 SMEs was commissioned to gather insight on attitudes to data protection. It comprised a series of unprompted questions and covered a range of businesses in specific market sectors across the UK with 85% having 10 to 49 employees. When asked about GDPR readiness, nine-in-ten rated themselves as a ‘4’ or ‘5’ out of 5. The main actions taken were reviewing policies (45%) and e-mailing customers for consent (35%). These are considered to be the lighter ‘front end’ aspects of GDPR compliance according to Shred-it’s experts.
The survey data showed that one third (32%) of SMEs reported the GDPR has had a ‘great’ or ‘considerable’ impact on their business. When those businesses that had experienced challenges with GDPR compliance were probed further, they cited data breaches and disclosure requirements as the main challenges, with healthcare (27%) and property (25%) the main industries affected with those specific areas. Small proportions also reported issues with Subject Access Requests, again with healthcare (28%) and property (15%) being the main industries affected.
Ian Osborne, vice-president for the UK and Ireland at Shred-it, stated: “On the surface it’s good news. It’s clear that many feel they’re already compliant with the GDPR having reviewed areas such as ‘consent’ activities and publishing a privacy notice. These typically deal with the ‘front end’ aspects of the GDPR. However, while many say they’re ready, there’s a real question mark over the extent to which the majority of SMEs are prepared to respond to a data breach or how to react to a Subject Access Request, for example. Our survey suggests that there’s still a need for a large education exercise to show SMEs what’s really involved in GDPR compliance at depth.”
Compliance with the GDPR
Of the 10% that said they were ‘not quite’ or ‘not at all’ ready, who rated themselves as a ‘1’ to ‘3’ out of 5, 42% (ie 54 businesses) said they have not been dealing with it. When asked what was holding them back, their unprompted reasons were that data protection authorities were ‘only interested in bigger companies’, it was ‘not applicable to us’, it was ‘too complicated’ and they were ‘too busy’.
Of the 10%, two-in-five would only trust someone in-house to help them comply with the GDPR – only one-in-ten would consider external support, while only 4% would trust the data protection authority for assistance.
The SMEs that would consider external support were unsure what services they needed and when they would intend to look for support.
ICO enforcement action
In the 12 months between 25 May 2018 and 2019, the Information Commissioner’s Office has taken 59 enforcement actions. There have also been numerous examples of enforcement across different industries including high-profile fines levied against large companies and penalty notices involving smaller businesses failing to pay the data protection fee.
Osborne concluded: “Our survey seems to show two clear pictures emerging. One is where the majority of SMEs are genuinely engaged with the process of compliance. Within that group there are many who believe they’re already compliant, but may have missed some more complex parts of the GDPR. It’s the minority in that group who have recognised its greater challenges and are wrestling with its more complex areas. The other is one where some SMEs recognise they’re not ready, seem unwilling to address the issue of GDPR compliance and are reluctant to seek support in any form that would assist them. When the relevant authority’s fines become more common headlines across the UK, we expect that views may change about what compliance really means.”
Regulation continues to evolve
David Blonder, data protection officer at BlackBerry, has also made comment on the GDPR’s first anniversary.
“This time last year, many organisations around the world were scrambling to prepare for the GDPR. All companies affected were fearful that, if they didn’t comply, then they would be hit with a big fine. The reality of the GDPR is that it continues to evolve as cases interpreting the law are still forthcoming, along with anticipated fines and sanctions.”
According to Blonder, compliance is often a journey and, as things stand, 74% of UK organisations are still not GDPR compliant. “While lawsuits have been filed, the EU Data Protection Authorities are taking a measured approach as they apply the GDPR to their cases. According to Andrea Jelinek, chair of the European Data Protection Board and director of the Austrian Data Protection Authority, they’re focusing on quality, not speed. Several cases are expected to be announced within a few months.”
If the first year of the GDPR has taught us anything, Blonder feels, it’s about the importance of data privacy, both to consumers and to organisations. “Now more than ever before, consumers recognise how highly sought-after a commodity their personal information really is to organisations and are demanding more from the companies with whom they choose to do business. They also recognise the value that information presents to malicious actors or the impact of misuse by organisations they trusted. Businesses should be taking preventative steps to protect personal information, rather than exploiting it. This means data protection and security should be paramount. Data privacy is no longer a ‘nice to have’ or a mere marketing strapline. Businesses today must ensure that privacy is embedded by design in the development of their services, products and business operations.”
In conclusion, Blonder informed Risk Xtra: “Ultimately, consumers want to be able to trust businesses with their data. Organisations should be putting data privacy high on their agenda to maintain the trust of their customers and be aware they face heavy fines and reputational damage if personal information is mishandled. As such, policy-makers and leaders across the tech sector need to have a robust discussion about how much regulatory oversight is needed, both to protect privacy and also spur innovation and competition.”
Data breach notifications
European privacy authorities have apparently received nearly 65,000 data breach notifications since the EU’s new privacy law went into full effect. Ilia Kolochenko, founder and CEO of web security company ImmuniWeb, stated: “This demonstrates that organisations are now truly concerned about complying with various GDPR requirements, including breach notifications. However, if we look at this differently, one may reasonably infer that a considerable number are insufficiently protecting their data, in turn allowing data breaches to happen. Worse still, these numbers are just a tip of the iceberg. Nation state attackers and professional cyber mercenaries infrequently leave any technical traces. Their intrusions remain widely undetected and thus unreported.”
Kolochenko added: “The GDPR is nevertheless a valuable mechanism to impose fundamental security requirements that many organisations were knowingly ignoring before enforcement in May 2018. We will likely see the first major outcomes, such as better-protected SMEs, fewer data breaches and better-educated users, in a few years’ time. Companies should not view compliance with the GDPR as some form of silver bullet. Rather, they should view it as a sign of good cyber security hygiene.”