Third of small businesses don’t feel GDPR applies to them

GDPR readiness

While the majority of small businesses feeling positive about the recently-introduced General Data Protection Regulation (GDPR) rules, more than a third don’t feel that certain aspects of the law apply to them.

A significant portion of data decision-makers within small and medium-sized businesses (SMBs) do not believe that the laws apply to the customer data they hold, according to a report produced by the Data and Marketing Association (DMA).

Just under half of the businesses, 49%, also believe the law isn’t applicable online browsing data.

This is despite the fact that the majority of SMBs, 90%, feel confident in their understanding of the new data protection laws, and have a positive impression on the impact on their processes and operations.

“This is a significant concern to the data and marketing industry, not to mention a risk to these businesses that are so vital to the UK economy,” the report said.

“The split between those that appear to have a good understanding of where GDPR is applicable and those that don’t is also one that we’ve used elsewhere in this report to analyse the drivers behind this discrepancy.”

Many individuals, moreover, rely on colleagues to ensure they have the knowledge and understanding that fulfilling their roles’ demands.

Approximately three-quarters, 74%, of the 293 respondents at senior level or mid-level management suggested their organisation's collective knowledge about the data protection changes brought in with GDPR is high.

Sentiment among SMBs about how GDPR has changed the way their organisation works is generally positive, with 60% of respondents seeing reporting improvements to internal processes.

There has also been a positive impact on marketing programmes, true for 54%, as well as 49% seeing improvements to the sales process.

Conversely, 18% of SMBs felt their business, in general, has been negatively affected by GDPR, while a quarter, 25%, have sustained no change.

Worryingly, with 18 months having transpired since GDPR came into force, a significant portion of SMBs haven’t begun to undertake a host of the key processes required for them to remain on the right side of compliance.

Nearly a third of SMBs, 28%, for example, have not yet begun to audit third-party data, while 22% of firms haven’t conducted data protection impact assessments (DPIAs).

“This may well be down to the lack of advice and training made easily available to help these organisations ensure they are not falling foul of the new laws. Compliance is clearly an important issue when it comes to GDPR, but it’s also important to remember that the benefits of being diligent with data go far beyond that,” said the DMA’s head of insight Tim Bond.

“The key for businesses, large or small, is ensuring they are putting their customers first and at the heart of everything they stand for as an organisation. Only then will they be able to build relationships based on authenticity, transparency and trust that will drive reputation and prosperity.”

Keumars Afifi-Sabet

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.