I must confess. Until last summer I didn’t know much about GDPR. I had heard a new data protect regulation was on the way, but that was the sum of my knowledge. I felt that was a little shameful, as a person who specialises in assisting businesses understand information risk management. After all data protection is about managing your risks around the data you hold.
I went off and searched for information and found an abundance, probably too much and too complex and much of it aimed to scare, talking about fines of 4% of global turnover. But I recall that I had to go and find information. Nothing at that point had been ‘pushed’ to me. Not that I can recall anyway.
Now I have an interest in understanding the regulation, but what about the general business population, how much do they understand? I have been doing a few seminars on GDPR recently; whenever I ask the audience how many know about it, there is normally less than 10% who admit to knowing anything. Then they appear almost embarrassed to be in a minority. This prompted me conduct a short survey amongst local businesses to understand the level of understanding and preparedness. I can’t admit to it being scientific, but the findings are quite concerning.
The questionnaire was sent to local businesses, randomly selected from the Chamber of Commerce membership database and my own contacts. It included a combination of small, medium, large and public sector organisations. There was a 24% response rate, with 81% saying that they currently hold data that can identify individuals. The responses were completely anonymous.
The first question asked how aware businesses were aware of GDPR? 32.5% declared no awareness at all, but 46.5% said they were aware of GDPR but did not understand how it would affect the business. That is 79% of businesses who, as yet, have done nothing to prepare or don’t even know about it. We are now only a year off the deadline for compliance!
Some businesses have started to examine the implications, but 34% of the respondents said they didn’t know when they would start. This coupled with the fact that 37% of the organisations have not yet defined or allocated any resource to the implementation. Even more concerning when 42% indicated that they thought implementation would take between 6 months to 1 year or even longer.
Why aren’t businesses prepared? Why is knowledge of GDPR so low? Well I take you back to my first paragraph. I think businesses still have to go in search of the information. When you find it, for most business leaders, it can be scary. Some generating the FUD (Fear Uncertainty and Doubt) that we had with cyber a few years ago.
There has been little information pushed from the powers that be. When I compare GDPR to Auto Enrolment, I think every business leader in the country got personal correspondence from the DWP clearly telling them what they needed to do, however there has been nothing similar on GDPR.
The ICO has some excellent publications: ‘Preparing for the General Data Protection Regulation (GDPR) 12 steps to take now’, being just one. Isn’t it time to the Government started pushing this information out to businesses and not expect them to stumble upon it? This is a big change for many businesses and they need support.