With only months to go until the new General Data Protection Regulation (GDPR) comes into force next May, a survey of business leaders today reveals that there are still a worrying number of companies across the country that are not aware of the costs, complexities and responsibilities associated with the new rules. The survey of almost 900 members of the Institute of Directors, carried out between July and August, shows that nearly a third of company directors have not heard of GDPR, while 4 in 10 don’t know if their company will be affected by the new regulations.
There appears to be a stark contrast between insufficient levels of general awareness on the one hand, and reasonable preparedness of companies who do know about the new rules on the other. Two-thirds of businesses who are aware of GDPR were either very or somewhat confident they fully understand how it will affect the running of their business. The new rules will redefine the way companies handle data and will include tougher punishments for those who fail to comply. Under current regulations, there is a maximum charge of £500,000 or 1% of annual turnover, but this is set to be replaced with a fine of up to €20 million or 4% of annual worldwide turnover. When asked whether they would be fully compliant with the regulations by the May 2018 deadline, 86% of businesses said they were either very or somewhat confident of being so.
The survey also revealed that half of directors had not discussed their own GDPR compliance arrangements with partners or vendors with whom they share data. Business leaders affected by GDPR said they were most likely to seek advice from external private advisors (IT consultants and legal firms), while many also said they would visit the government website or get in touch with the Information Commissioner’s Office. Meanwhile, one-third said they had in-house experts.
These results are being published alongside the IoD’s Digital Strategy Summit , with speakers including the Information Commissioner, Elizabeth Denham, and the Minister of State for Digital, the Rt Hon Matt Hancock MP. More information on this event can be found here .
Jamie Kerr, Head of External Affairs at the Institute of Directors, said:
“It was clear from the outset that this would be a mammoth task for small and large businesses alike, but the scale of the challenge has not necessarily translated into preparedness for the new regulation, despite the huge costs of non-compliance. The Government and the regulator must pull their weight on this issue, as it is set to have a significant impact on businesses across sectors and regions in the UK.
“It is crucial everyone understands just how big this regulatory change will be for business leaders over the next few months. GDPR also comes hot on the heels of a number of big regulatory shifts for business over the past few years. We should also not forget the potential of extensive preparations that will be needed as we depart from the EU. Taken altogether, it’s not the easiest time to do business in the UK.
“Company directors are being pulled in so many different directions it is unsurprising that many do not fully understand the details of GDPR. That said, the regulator has a significant role to play in ensuring that SMEs, as well as larger firms, are fully compliant by May 2018. We urge the regulator to step up its engagement with businesses to ensure that they are spreading the message far and wide. In particular, however, it needs to emphasise in simple terms the criteria for compliance, what steps companies will have to take to comply and what the penalties are for not meeting the new standards. As a representative body, we will do our best to work with them to broadcast these messages.”