Most UK small businesses 'ignoring GDPR risks'


The majority of small businesses in the UK are yet to update or review their data security and privacy policies since the introduction of the General Data Protection Regulation – seven months after the new rules were officially introduced.

Despite the fact that GDPR comes with stricter, punitive punishments for businesses which fail to protect customer data – up to 4% of global turnover for the worst offenders – three quarters of small companies are yet to take any action to improve how they store data, according to new research.

And a quarter of companies have no plans at all to review their current data handling and storage procedures according to the independent Under Attack: Assessing the struggle of UK SMBs against cyber criminals report, commissioned by security technology company Appstractor corporation and compiled by Sapio Research.

The report, which assessed the views of 500 IT bosses within UK small businesses, found that even of those companies which had made plans to update their data security, one in five had failed to make any progress.

Introduced in May 2018 GDPR has put more pressure on businesses when it comes to storing information they hold on customers and includes new rules on reporting breaches which resulted in data losses.

Just before GDPR was introduced, research by the Federation of Small Businesses found that 90% of small companies were not compliant with the stricter regulations.

So, the fact that so many small businesses have still taken no action suggests they are either ignoring the risks or do not fully understand the impact breaching the new rules could have on their future.

Commenting on the results, Paul Rosenthal, CEO of Appstractor, said: “Small businesses have long been in denial about the threat they face from cyber criminals and it seems this denial has carried over into the risk GDPR carries.

“It is not just the financial risk and the fines that can be imposed under GDPR, but businesses now have a responsibility to report a security breach to those whose data has been put at risk. The reputational damage alone of being known as a company that can’t keep its customers’ data safe can enough to sink a small business before any financial fines are imposed.

“Whatever steps they decide to take smaller businesses should at least be reviewing how they gather, store and secure customer data to ensure they are as compliant as possible. Unfortunately, it seems many are not taking GDPR seriously enough which could have serious consequences.”