With GDPR’s two-year anniversary looming, it seems that smaller firms have yet to get to grips with large swathes of the regulation, with more than a third believing GDPR does not apply to the customer data they hold and just under half (49%) under the impression it does not apply to online browsing data either.
This is despite the fact that the vast majority (90%) of SMEs, feel confident in their understanding of GDPR and have a positive impression on the impact on their processes and operations.
So says a new report by the DMA, which quizzed 293 senior and mid-level executives across a range of business sectors.
The report calls this discrepency "a significant concern to the data and marketing industry, not to mention a risk to these businesses that are so vital to the UK economy".
Many individuals, moreover, rely on colleagues to ensure they have the knowledge and understanding that fulfilling their roles’ demands.
Approximately three-quarters of those surveyed suggested their organisation’s collective knowledge about the data protection changes brought in with GDPR is high.
Sentiment among SMEs about how GDPR has changed the way their organisation works is generally positive, with 60% of respondents seeing reporting improvements to internal processes. There has also been a positive impact on marketing programmes, for 54%, as well as 49% seeing improvements to the sales process.
Conversely, 18% of SMEs felt their business, in general, has been negatively affected by GDPR, while a quarter (25%) have seen no change.
Worryingly, a significant proportion of SMEs have not even begun to undertake key processes required for them to remain on the right side of compliance.
Just over a quarter (28%) have yet to begun to audit third-party data, while just over a fifth (22%) have not conducted a data protection impact assessment (DPIAs).
DMA head of insight Tim Bond said: “This may well be down to the lack of advice and training made easily available to help these organisations ensure they are not falling foul of the new laws. Compliance is clearly an important issue when it comes to GDPR, but it’s also important to remember that the benefits of being diligent with data go far beyond that.
“The key for businesses, large or small, is ensuring they are putting their customers first and at the heart of everything they stand for as an organisation. Only then will they be able to build relationships based on authenticity, transparency and trust that will drive reputation and prosperity.”
However, non-compliance is nothing new. In the run-up to the GDPR D-Day of 25th May 2018, Experian research revealed that nearly half of all companies were still struggling to get in shape with UK Data Protection Act 1998. The company worked out that if firms took as long to become GDPR compliant, it will not be until 2037 that the majority get it right.