Organisations continue to struggle with GDPR compliance, especially SMEs

Published on: 13/09/2019

#Data Protection

We are almost 18 months on from the implementation of the GDPR on 25 May 2018 and there have been a wealth of surveys reflecting on how well (or not) organisations have done in meeting the new requirements. 

Egress recently suggested that 52% of UK businesses are not fully compliant and other organisations, such as RSM and Delphix, have reported that 30% of European businesses were not confident that they had fully complied.     

The ICO published a report in May, “GDPR: One year on”, in which it recognised that SMEs and sole traders find compliance difficult.  It stated that legal bases for processing, data auditing and privacy policies take time to understand and that there are no ‘quick fixes’ for making sure people’s personal data is being processed legally. 

GDPR.EU recently surveyed 716 small business leaders in Spain, the UK, France and Ireland between January and April 2019 to understand how their organisations were coping with the GDPR requirements.   The results showed that, despite there being widespread eagerness to comply (and a lot of money having been paid out by SMEs to do so), there were still areas of confusion and non-compliance.   For example 44% of organisations surveyed said that they did not always get consent or determine a lawful basis before processing data and 22% said that they did not use technical measures to protect personal data. 

The surveys demonstrate that awareness of legal obligations and willingness to engage are on the increase but the sheer complexity of the area has left many organisations struggling to keep up.    

In light of the potential fines for non-compliance, it’s important that organisations do more to ensure their legal obligations are met.  Some surveys report a general feeling within SMEs that the ICO will not pursue smaller organisations in respect of breaches but this is simply not the case.   Of course it will be the larger fines that grab the headlines, such as those against Google, Facebook and British Airways (the ICO have announced an intention to fine BA in excess of £183 million relating to a cyber incident in September 2018) but fines are regularly issued against much smaller organisations.    

Clarkslegal’s data protection team can help your organisation.  Whatever your budget, we can work with you to identify a manageable and practical approach.  Get in touch today… 

Disclaimer

This information is for guidance purposes only and should not be regarded as a substitute for taking professional and legal advice. Please refer to the full General Notices on our website.