UK businesses are still under-prepared for the GDPR - and some don't even know what it is

Small organisations are less likely to be ready than large ones

Almost a quarter (23 per cent) of small businesses (100-250 employees) say that they still haven't made any preparations for the GDPR, which comes into effect in less than a year. Large companies (501+ employees) were much more likely to have taken at least the first steps towards readiness, with 89 per cent having made at least some preparations. The survey, conducted by NetApp, questioned 253 CIOs and decision makers in the UK.

34 per cent of respondents from large companies said that they were fully prepared for the GDPR, while only 19 per cent of those from small companies gave the same answer. On the other hand, 57 per cent of respondents from smaller businesses said that they had made ‘some preparations' - although were not yet fully compliant.

In line with Computing's own research (see below), NetApp found that GDPR awareness is still surprisingly low: as many as 14 per cent of small businesses say that they don't know what it is. They are also not confident in understanding whether or not they are compliant: only 17 per cent say that they absolutely know where the data centres of their service providers are located, and where all of their data is stored. In larger firms, this stat stands at 40 per cent.

Whether large or small, however, understanding of the new regulation is still low enough to be a concern: just 7 per cent of small business respondents said that they fully understand the GDPR, and only 25 per cent of those from large firms. Somewhat more reassuringly, those with a ‘good' understanding stood at 28 per cent and 21 per cent, respectively (and 27 per cent from medium-sized businesses). SMBs have at least actively started to look at the GDPR, even if work remains to be done.

Martin Warren, cloud solutions marketing manager at NetApp, said:

"NetApp's survey demonstrates a disparity across the enterprise, with smaller businesses falling behind in preparation for and awareness of the legislation. The risks of non-compliance for a smaller business could be catastrophic - by virtue of size, they are even more vulnerable to the hefty fines for non-compliance. There is a clear need for increased education, particularly among smaller businesses, which should instil greater confidence and propel preparations forwards."

Computing conducted a survey of 100 IT decision makers in May this year, which found that a staggering 47 per cent have either not heard of the GDPR (six per cent), are vaguely aware of it (15 per cent), or have done nothing to prepare for it (26 per cent).

These figures have changed little from another survey in February 2016, which found that 49 per cent of UK organisations fell into one of these three categories.

GDPR events held by Computing in recent months found that IT leaders are still confused about the definition of 'personal data', and the right to erasure leads the pack as the top GDPR compliance concern. We have, however, published a list of resources for you to use to prepare for the incoming regulation.