It’s been more than 18 months since the GDPR (General Data Protection Regulation) took effect, and yet millions of small businesses across Europe have major compliance gaps, a study has found.
The GDPR Small Business Survey, which polled 716 organisations in Ireland, the UK, Spain and France, found that only 56% of organisations were confident that they obtained a lawful basis for processing personal data, as mandated by Article 6 of the GDPR.
Likewise, only 44% of organisations are confident that they describe their data processing activities to stakeholders in clear, plain language – in line with Article 12 of the Regulation.
By contrast, 10% were sure that they didn’t comply with Article 6 and 15% were sure that they didn’t comply with Article 6. These mistakes are punishable under the GDPR’s upper tier of penalties – i.e. €20 million or 4% of the organisation’s annual global turnover, whichever is greater.
Let’s take a look at some of the other findings from the report.
Organisations are unsure about compliance requirements
The cause of organisations’ compliance gaps appears to stem from the top, with many senior managers confused about what they should be doing.
When the respondents were asked whether they used end-to-end encryption for emails – one of the recommended strategies to meet the GPDR’s requirement for “appropriate” technical measures – only 9% said they did.
Another 58% said that they encrypted emails but, when asked to identify the encryption provider they use, gave answers like ‘VPN’, ‘Mailchimp’ and ‘Dropbox’.
Seven Irish respondents said their end-to-end Cloud storage provider was ‘Reddit’.
Organisations are trying to meet the GDPR’s requirements, though. The report found that 90% of respondents invested more than €1,000 in compliance activities, and 42% spent more than €10,000.
The investment seems to be tied to the acknowledgement that better data protection can help business rather than hinder it. Indeed, 67% of respondents said that they didn’t believe that GDPR compliance would slow the growth of their organisation.
One respondent explained their willingness to invest by saying, “I would want my data protected, so I do the same for my clients”, demonstrating that the public is taking greater interest in data protection and that the GDPR’s requirements meet an essential business need.
It appears to be this, as much as the threat of disciplinary action, that is spurring organisations on in their compliance activities.
Two–fifths of respondents said that it was ‘somewhat likely’ that they would face penalties for violations, while many others doubted that violations would be investigated.
GDPR compliance is crucial for your business to succeed
Whether you’re concerned about GDPR fines or satisfying stakeholders by securing their data, one thing everybody can agree on is that regulatory compliance is essential for long-term success.
Of course, the two things are related, with many lawmakers noting that the threat of punishment is simply the push some organisations need to recognise the importance of protecting data subjects’ personal information.
Those who want to know how to get started should take a look at our GDPR Implementation Bundle.
This package provides you with all the resources you need to simplify your compliance process, saving you time and money in the process.
- EU General Data Protection Regulation (GDPR) – An Implementation and Compliance Guide, Second edition (eBook), giving you an easy-to-understand breakdown of your compliance requirements;
- A EU GDPR Compliance Gap Assessment Tool, which identifies any areas of non- compliance; and
- The EU GDPR Documentation Toolkit, containing a comprehensive list of templates to help you document your compliance activities.