The average UK SME spent 600 hours of the past 12 months preparing for the arrival of the GDPR in May 2018 – but 2.1 million have yet to act.

With six months to go until the General Data Protection Regulation (GDPR) deadline of 25 May 2018, new research has revealed that, while six-in-10 SMEs are getting ready for 25 May 2018 GDPR deadline, many remain unprepared.

And while nearly two-thirds (61%) of UK SMEs are now planning for the GDPR (61%), four-in-ten (43%) business owners told a survey by The Data Compliance Doctors said marketing staff had raised concerns about their current ability to handle and use data in accordance with GDPR.

In response, 44% had reorganised operational responsibilities and processes.

As AM prepares to give its readers valuable guidence and insight into the GDPR at a dedicated conference in Milton Keynes in February, Lisa Chittenden, data compliance doctor at The Data Compliance Doctors, said: “Our survey has revealed a mixed bag in terms of GDPR preparation amongst SMEs.

“Some have spent a lot of time and money to ensure they are in a good position come May 25, 2018.

“However, our figures show there are many thousands that have not even started, despite all the discussion and media stories in recent months. But, with six months to go, it’s not too late to get yourself up to speed.”

The research, commissioned by The Data Compliance Doctors, was carried out by Atomik Research, and took place October 25 to November 2, 2017, among a sample of 500 SME owners.

It found that the most common business function that SMEs had adjusted in preparation for GDPR was sales (57%), followed by IT (55%) and marketing (45%). These groups were also the most likely to have received GDPR training (sales and IT both 39%, and marketing 35%).

Over a quarter (27%) of SMEs said they had hired new staff to help prepare for GDPR, spending an average of £13,300 on salaries so far.

As a result, over half (54%) felt they have the right GDPR expertise in-house. Half of those questioned had also invested in expert guidance or consultancy, spending almost £8,000 each on fees to date.

Despite this added expenditure, nearly three-quarters (73%) did not have detailed documentation to evidence their GDPR compliance and over two thirds (64%) of businesses had no plan in place for customer data breaches, The Data Compliance Doctors reported.

When asked about their plans to comply to GDPR, most business owners (69%) said that they planned to contact customers directly for consent to retain and process their data.

Most businesses will use a combination of methods with 70% doing it via email, 43% by phone and 38% by letter. Nearly two thirds (61%) also plan to use the ‘legitimate interest’ route to comply, scheduling their GDPR compliance outreach between 1 and 15 January 2018.

Chittenden shared some advice for businesses preparing for the arrival of the GDPR. She said: “I’d caution those businesses planning to contact customers direct for data consent, as opt-in communications can dramatically reduce the number of customers you can talk to.

“However, there’s a variety of other ways to make data eligible for marketing use - some of which provide greater scope to keep historic information.

“Our figures reveal that a third of business owners are unsure of the different laws relating to mail versus electronic communications for this purpose.

“A further third are also unaware of the different permission types, so I’d encourage them to seek expert advice or do some research to ensure they’re fully compliant.”

  • AM will host a GDPR conference covering the major aspects of the new EU legislation at the Hilton Doubletree, Milton Keynes, on 22nd February 2018.

The speakers include data experts from the Direct Marketing Association and cyber security experts.

For more information about the event – or to confirm your attendance by booking a place – visit https://amgdprconference.am-online.com/