With just days to go until enforcement of GDPR begins on 25 May, nearly a quarter (22 percent) of small business owners are totally unaware of the forthcoming General Data Protection Regulation, according to the first data released from Shred-it’s eighth annual Security Tracker research, conducted by Ipsos.
Ipsos conducted a quantitative online survey of two distinct sample groups – 1,000 Small Business Owners (SMO) in the United Kingdom, all of which have fewer than 100 employees, and over 100 C-Suite Executives in the United Kingdom within businesses of over 250 employees.
The research makes clear that there is a huge disparity in terms of preparedness and focus based on the size of businesses. Ninety-seven percent of C-suite executives at large companies have at least a basic understanding of GDPR, compared to 78 percent of small business owners. Forty-seven percent of the top brass at larger firms are confident of having detailed knowledge. That figure for small businesses is just 10 percent.
According to the study, London-based businesses are also much more aware than those in other regions, with just 12 percent stating that they were not at all familiar with GDPR, compared with much higher figures in the Midlands (30 percent), the North (23 percent), Scotland (20 percent) and Wales (17 percent).
Alarmingly though, small business owners are more complacent and are typically underestimating the scale of the task-at-hand: less than a third (30 percent) acknowledge that they will face a challenge becoming compliant with GDPR by the deadline, compared to 64 percent of C-suite executives.
Neil Percy – vice president market development and integration EMEA, Shred-it said: “In the lead up to May 25th and beyond, it’s crucial that organisations of all sizes begin to take a proactive approach in preparing for GDPR. To see so few firms aware of the regulations right on the eve of enforcement beginning is alarming to say the least.”
“Companies need to audit their current data flows and assess where confidential information may be at risk, either in digital or physical form, and take steps to restrict accessibility and delete or, if in physical format, securely destroy it when necessary. All too often organisations place themselves at risk of breach by not connecting the need to protect physical confidential material with the same level of security applied to the same data held electronically. GDPR will view a breach of data equally regardless of electronic or physical in format.”
GDPR is a new privacy legislation adopted by the European Parliament that affects any business, anywhere in the world, that controls or processes the personal information of EU citizens. It includes tough new penalties for companies that are not compliant – potentially fines of up to four percent of annual revenue. At the heart of the GDPR legislation are requirements to protect people’s personal information meaning a greater focus on encrypting digital information, safer practices in handling sensitive hard copy documents, and establishing policies around the storage and deletion of both.
Company Policy is a Mixed Bag
It is not just GDPR where an awareness gap is apparent. Fifteen percent of small business owners admit they do not understand the legal requirements for handling confidential information in their industry more generally. Less than half (44 percent) claim to have a strong understanding. 42 percent of small businesses do not have, or are unsure if they have, a policy for employees on handling confidential documents. Ninety-five percent of larger firms have a policy, however a quarter of leaders (24 percent) admit that not all employees are aware of it.
As well as documenting the gap in understanding, the research also shines a light on practices that will put organizations in breach of GDPR requirements. Businesses of all sizes undergo security scares that could prompt the ICO to investigate them on GDPR grounds -11 percent of companies have had employees lose a company mobile phone, nine percent report employees losing company laptops and eight percent have lost paper documents with sensitive company info.
Large companies are more likely to have a policy or process in place that requires employees to report an information security issue: 85 percent of C-Suites vs. 40 percent of small business owners. 35 percent of small businesses do not have any policy in place on disposing of paper documents and 42 percent don’t have one relating to disposing of end of life electronic devices
“Incidents like losing a laptop or mobile phone if not effectively password protected or insecurely disposing of a printed document confidential in content when working outside of the office, may have much bigger consequences for businesses under GDPR,” Neil Percy – Vice President Market Development and Integration EMEA, Shred-it. “You may need to report those kinds of losses to the Information Commissioner’s Office, and it is possible that they will then look at the policies and processes you have in place and how well understood and followed they are by employees.”