The Federation of Small Businesses (FSB) has warned that up to 90% of small businesses are unprepared for GDPR. The figure comes as the countdown to 25 May continues. With 85 days left before the regulation comes into force it seems just eight percent of small businesses have completed their preparations.
A briefing paper for the UK Government by Chris Rhodes provides a worrying background to the scale of this problem. There are 5.7 million private sector businesses in the UK. Over 99% of these are classed as small or medium-sized businesses with 0-249 employees. They turnover £1.9 trillion and employ 60% of the UK workforce.
Mike Cherry, FSB National Chairman said: “The GDPR is the biggest shake-up in data protection to date and many small businesses will be concerned that the changes will be too much to handle. It’s clear that a large part of the small business community is still unaware of the steps that they need to take to comply and may be left playing catch-up.”
Part of the problem for SME’s is understanding what applies to them and what they need to do. The GDPR legislation is large and takes careful reading to understand. Interpreting the legislation, especially for small businesses lacking legal and technical staff is challenging. This is why many are looking to the UK Information Commissioner’s Office (ICO) for information.
Who does the FSB think is in the most trouble?
The FSB research shows that 33% of small businesses have not yet started to prepare for GDPR. A further 35% are in just the early stages of preparation. The two sectors with the biggest problem are hospitality and arts & entertainment. Both of these tend to hold a lot of personal data on individuals including names, addresses, age, email address and, in some cases, credit card details.
These are also businesses that rely on mailing lists to contact past customers and sell to new customers. With GDPR they will have to have a process to regularly ask people if they want to stay on those mailing lists.
Small businesses are also going to be hit hardest by right of access to data and the right to be forgotten. Both of these require processes to search for and provide information. With GDPR there are just 28 days in which to respond and businesses cannot charge for locating the data.
Those businesses with well-designed IT systems should be able to deal with these requests with relatively low costs. Those who are still paper based, such as small theatres, hotels and B&Bs, will struggle. This means that they will not only incur costs in responding but could find themselves struggling if they are reported for failure.
Be Data Ready campaign
To help small businesses to get a better grip on what is required, the FSB has launched its Be Data Ready campaign. It has published a document called ‘Data Ready, Mitigating the impact of data protection regulation on small businesses‘ on its website. Most of the 20-page document focuses on the legislation and what it means. What it doesn’t do is provide a set of call-to-action items that a small business could use to start its GDPR preparation.
On page 16 there is a list of compliance measures that respondents to the FSB survey have said they are taking. Page 17 then gives an average cost, by sector, of the costs these measures are having on different industries.
According to Cherry: “With less than 100 days until the changes come into force, the attention now shifts to the Information Commissioner’s Office and whether it can effectively manage the demands of small businesses seeking advice and guidance. It is vital that smaller firms looking for this support, either by phone or the web, are able to get it easily.”
What does this mean?
In reality this survey just continues to show how poor preparation for GDPR is across the UK. Small business owners have to accept some of the blame for this. They’ve ignored the constant warnings with some believing that this only applies to large enterprises. Last year there was a lot of talk that as a result of Brexit the UK wouldn’t be subject to GDPR. Both myths have been expelled with the UK Government announcing plans for GDPR plus last year.
This is not the first major legislative change to catch out small businesses. Many are unprepared for the HMRC Making Tax Digital programme that is being rolled out. When the VAT Mini One Stop Shop (MOSS) rolled out a couple of years ago it caused chaos for a lot of small and micro-businesses.
Part of the problem here is that these programmes are talked about a lot, advice is published on government websites but small business owners claim to have no time to keep up to date. Arguably this is their own failing and an opportunity for organisations such as the FSB to step in. However, there is also a case for the ICO to have mailed checklists out to get people started. That said, it has done a far better job than the majority of its European counterparts.
Time is running out for those businesses who haven’t started or are in the early phases of GDPR preparations. If they don’t get this sorted then they are heading for some fairly serious consequences.