SMEs not heeding GDPR warnings

05 March 2019

An alarming 75 per cent of small businesses in the UK are yet to update or review their data and privacy policies since the introduction of the General Data Protection Regulation (GDPR) in May 2018, a new report has found.

According to the findings of Under Attack: Assessing the struggle of UK SMBs against cyber criminals, a quarter of the 500 IT bosses within SMEs who took part in the survey, said they had no plans to update or review their policies at all.

This is despite the fact that GDPR brings stricter, punitive punishments for businesses which fail to protect customer data – up to four per cent of global turnover for the worst offenders.

GDPR has put more pressure on businesses when it comes to storing information they hold on customers and includes new rules on reporting breaches which resulted in data losses. Shortly before GDPR was introduced, research provided by the Federation of Small Businesses found that 90 per cent of small firms were not compliant with the stricter rules and regulations relating to data security and protection.

It is unclear whether the fact such a large percentage of small businesses have yet to take action is a result of them ignoring the risks and potential action taken against them or if they do not fully understand what impact flouting the rules could have on their future.

Paul Rosenthal, chief executive officer of Appstractor, said small businesses “have long been in denial” about the threat they face from cyber criminals and it seems this denial has carried over into the risk GDPR carries.

“It is not just the financial risk and the fines that can be imposed under GDPR, but businesses now have a responsibility to report a security breach to those whose data has been put at risk,” Rosenthal said. “The reputational damage alone of being known as a company that can’t keep its customers’ data safe can enough to sink a small business before any financial fines are imposed.”

Rosenthal added that whatever steps smaller businesses decide to take, “they should at least be reviewing how they gather, store and secure customer data” to ensure they are as compliant as possible.

“Unfortunately, it seems many are not taking GDPR seriously enough which could have serious consequences,” he said