From short online articles to 50 page whitepapers, information about the General Data Protection Regulation is everywhere. However, with just 10 weeks to go until the 25 May deadline, it appears confusion still reigns for the UK’s small businesses about what they have to do to become compliant. 400 responses were gathered in a GDPR Checklist Survey run by online legal service LawBite, that asked respondents 27 questions about the GDPR and their business.

Of those 400 small businesses who took the survey, 65% had 1 – 5 employees, 25% were in the 6 – 30 bracket and 10% had 31+. But what were some of the most surprising statistics that emerged from their responses?

  • Just 38% of respondents knew the ‘lawful basis’ they had for collecting and processing data. Again, this might sound like more lingo but it is vital that as an organisation you know the reasons as to why you collect personal data and that your use of it is entirely transparent and agreed to by those giving it up.
  • 1/3 of SMEs were unsure as to whether they were ‘data processors’ or ‘data controllers’. It appears the lingo surrounding the GDPR still appears to stump many small businesses but it is vital to understand these basic terms. In essence, a data controller collects information and a data processor actually does something with it, so you could very well be both! There are different obligations under the GDPR for each.
  • 81% of respondents didn’t have any training programme in place for data management for their organisation with a further 9% As a small businesses, it’s understandable that you wouldn’t want to splash the cash on expensive training but with so many people handling your customers’ data to do their job (think operations, sales and marketing!), it is important they know what they can and can’t do with it. Ignorance of the rules will not be tolerated as an excuse by the Information Commissioner’s Office (ICO).
  • Only 1/3 said that they fully understand the rights of those they hold data about – their ‘data subjects’. This general question regarding data subject rights and apparent lack of understanding is very revealing in terms of what people really know about the GDPR, even though we are all ultimately data subjects. It demonstrates that there should be a greater awareness campaign about its effects and more practical advice given for small businesses to become compliant, rather than solely looming deadlines and scare tactics.
  • 2/3 of respondents were confident that the systems where they store personal data were secure, which seems like a positive number amongst all the previous confusion. On the flip-side, however, that potentially means a third of small businesses you interact with either know or aren’t sure whether their systems that handle your data are secure. Under the GDPR, it is the responsibility of the organisation who is collecting and processing data to make sure it is kept safe. It’s also likely to be the case that many SMEs probably don’t know what the required standards are, and are simply guessing that their existing security is sufficient.

Clive Rich LawBite Founder and Chairman said: “GDPR is a potential game-changer for SMEs. Anyone who collects, processes or holds personal data is affected. The standards required to obtain consent and utilise date will become much more onerous overnight, and the new regime is backed by severe sanctions, including fines for breach of up to 20 million Euros or 4% of turnover.”

With just 10 weeks to go, there is clearly still a lack of understanding and practical steps being taken to ensure GDPR compliance for small businesses, with many convinced it won’t affect them anyway. There is also a lot of misinformation about the GDPR (Brexit means we won’t have to comply, anyone?) that will cause problems later down the line once the GDPR is fully enforceable. Like most legal requirements, addressing the GDPR is something of an expensive bore to most small businesses but companies like LawBite make addressing your needs fast and inexpensive.