With all the hype around GDPR and 2017’s cyber-attacks (remember what happened to the NHS earlier this year?), individuals are far more aware and hot on their data rights than they ever were before. However, we’ve found that many SMEs are still not completely clear about what they need to do to ensure they’re comfortable and ultimately compliant. It’s not surprising really, a busy business owner doesn’t have the time or the energy to read through swaths of information (sometimes conflicting) on the internet, addressing what they need to be aware of and do.
That’s why we launched the LawBite GDPR Checklist towards the end of October ‘17 to get businesses thinking about areas in need of their attention. Since then, we’ve had almost 200 SMEs complete it. Of these, around 60% have 1 – 5 employees, 20% have 6 – 20 and the remaining 20% have 30+.
But what were some of the most interesting findings from their responses?
Here are the top 5 surprising stats we have compiled from our responses so far:
1. At a basic level, a third of respondents had no idea whether they were ‘data controllers’ or ‘data processors’.
> This legal jargon may be puzzling, but it’s important to know what the difference is and which apply to your organisation. In essence, a data controller collects information and a data processor actually does something with it – so you could very well be both! You have different obligations under the GDPR for each.
2. A whopping 77% of respondents said they had no training programme in place for staff for data management and a further 13% said they weren’t sure.
> It is essential the people who work for you, particularly those who handle and process data (think marketing and sales teams!) know exactly what they’re doing with your customers’ information and that they’re aware of the new GDPR rules. Can you really trust your staff to read up about GDPR, understand what it all means for their work and to seamlessly get on with it?
3. We asked whether respondents knew what lawful basis they had for collecting and processing personal data. Disappointingly, under half – 41% – knew.
> It’s a pretty fundamental question here, asking whether you absolutely know that your data collection and processing is lawful. As a business, you should understand the grounds you have for collecting and using people’s personal information.
4. In terms of understanding the rights of data subjects under GDPR, it was another disappointing result with 77% of respondents admitting they didn’t know, or simply weren’t sure.
> Part of understanding the law, is being able to know what your data subjects’ rights are over the information you hold about them. The GDPR has solidified and strengthened many rights people had under the Data Protection Act. For example, you might have heard about the right to erasure or ‘right to be forgotten’, where individuals can request their data be deleted if there is no compelling reason for you to keep it.
5. Finally, we asked about their systems that handle data and whether they were ‘secure’. Promisingly, two-thirds thought they were (and worryingly a third thought they weren’t!) At the same time when asked, only half said they knew what to do if worst came to worst and they actually had a data breach.
> Your users need to be confident that when you collect their data, you’re storing it securely and if a breach were to ever happen, you have a considered response and that you’re complying with your obligations. We all know that the technological world is not always 100% reliable and with hackers becoming ever more sophisticated, GDPR now makes it very clear how important this is.
Are you surprised by the results? How do you think you’d fare? We’d hate for your business to get caught out or even for someone to lodge an official complaint to the Information Commissioner’s Office (ICO). Why not take our free LawBite GDPR Checklist today and see how you get on.
We also have a free and more comprehensive GDPR Audit document you can request and discuss with one of our lawyers by submitting an enquiry to our team here.
– LawBite Marketing Team / Share this using #LawBiteGDPRChecklist
Join the conversation in the comments below.