Majority Of British Businesses Unprepared for GDPR

A new survey has revealed a horrible complacency and lack of preparation among British businesses to the EU’s General Data Protection Regulation (GDPR).

The survey from cyber security firm ThinkMarble found that 73 percent of British businesses remain unaware of the lawful basis for processing data ahead of GDPR deadline on 25 May.

Earlier this week publisher trade groups accused Google of making unreasonable demands on them as it brings in new advertising rules to comply with the GDPR.

Not prepared

The EU passed the GDPR nearly two years ago, but a 24-month grace period ends on 25 May, when enforcement effectively begins. As a result, organisations should be currently altering their privacy practices to comply with the law.

But it seems from the survey of more than 250 businesses that completed ThinkMarble’s GDPR Readiness online portal tool, that the vast majority (nearly three quarters) do not understand the new rules.

And perhaps even worse, about a quarter (25 percent) still do not know or are unsure of where the personal data that they are responsible for is currently held.

In what will make grim reading for data protection officials, the survey also found that 79 percent of businesses have not reviewed their data protection policy and 71 percent have not reviewed their privacy policy in preparation for the GDPR.

And almost unbelievably, 27 percent of respondents have no data protection policy in place.

And if that were not bad enough, 13.5 percent of businesses surveyed also revealed that they are not registered with the Information Commissioner’s Office (ICO), despite them processing personal data, as currently required by law.

“With little more than three working weeks left until the GDPR becomes enforceable, it appears that businesses continue to be woefully underprepared, despite the numerous warnings issued, and have left themselves wide open to being in breach of the new regulation,” said Andy Miles, Founder & CEO at ThinkMarble.

“Too many see the new regulations as a compliance tick box activity and a burden, when really it should be viewed as an investment into your business, your employees and your customers,” said Miles. “I expect that we will see future customers seeking reassurance on how their data is processed and managed and for those organisations that have taken the right steps to reinforcing their cyber security and information practices, they will be the ones that reap the benefits in their future growth.”

Borrowed plans

The survey also found that 24 percent have ‘borrowed’ their data protection policy from another business; 38 percent do not have a privacy policy in place; and 67 percent do not make data security checks when sending data outside the European Economic Area (EEA).

Furthermore, 50 percent of businesses do not make data security checks about outsourced providers; 81 percent do not train staff on data protection and privacy measures; and 68 percent do not inform people what will be done with their data.

Meanwhile 43 percent of responding businesses do not tell people their data will be shared; 76 percent have not reviewed how they obtain consent; and 78 percent do not have policy to dispose of data.

Gemalto told Silicon UK last year that enterprises are at different stages of readiness for GDPR.

However the ThinkMarble survey seems to suggest that most are definitely not ready for its implementation.

How much do you know about privacy? Try our quiz!