Over Half of UK Small to Medium Sized Businesses Uncertain of Brexit Impact on GDPR

Half of UK SMBs Not Confident They Can Meet GDPR Requirements; 7 in 10 UK SMBs Believe the Regulation Won’t Make Customer Data Any Safer

LONDON - June 21, 2017

A year after the UK voted to leave the European Union, new research from Webroot, the market leader in endpoint security, network security, and threat intelligence, has revealed that UK small- to medium-sized businesses (SMBs) misunderstand the impact of Brexit on compliance to the General Data Protection Regulation (GDPR).

Webroot found that UK SMBs were unsure if they would have to adhere to GDPR regulation after Brexit, despite the need to be compliant if data of European citizens is held by the organisation. Further questioning on GDPR found that SMBs disagree with the primary thrust of the regulation, which is to help ensure the security of personal data across the EU, and lack confidence that they can meet the regulation requirements. 

Scheduled to go into effect in May 2018, GDPR is intended to strengthen and unify data protection for all individuals within the EU and applies to any company doing business within the EU. Noncompliance penalties are steep, with fines up to €20 million or 4 percent of global annual turnover. A complete list of GDPR requirements can be found here.

Research Highlights:

  • 46 percent of businesses subject to compliance to GDPR were uncertain if they would have to remain compliant to GDPR after Brexit, and 6 percent were certain that they would not
  • One-fifth (20 percent) of the companies surveyed subject to GDPR haven’t started the compliance process.
  • 71 percent of these businesses haven’t budgeted for the extra resources required to become compliant.
  • Nearly three-quarters (73 percent) of those businesses that have to become compliant didn’t think customer data will be any safer due to the legislation.
  • Despite 81 percent of those that need to become compliant having heard of the regulation, a third (34 percent) were unable to identify basic regulation details correctly.
  • Of this segment, 26 percent thought that compliance was not mandatory, while 8 percent thought the regulation only applied to large businesses.
  • Despite needing to become compliant to continue operations as normal, nearly half of UK SMBs (49 percent) are not confident they can meet the stringent requirements for compliance.
  • In addition to their confusion about GDPR compliance, 51 percent of all SMB survey respondents believe their business is not at risk of cyberattack, indicating a dangerous misperception about the threat landscape and the need for appropriate security measures.

Key Quote:

Adam Nash, Business Sales Leader for EMEA, Webroot

“GDPR compliance should be a crucial part of every organization’s security strategy. In particular, it’s clear that SMBs urgently need to focus their attention on both GDPR compliance and their wider cybersecurity posture. We recommend that all SMBs adopt a multi-layered security approach to meet GDPR; one that includes network security, antivirus protection, and thorough data protection measures."

Tips for Businesses:

  • Act now. This is the biggest change to data protection laws since the current EU Data Protection Directive was passed in 1995. Getting ready for the GDPR will require time and resources to implement new processes. It’s crucial to get started now so your business is ready.
  • Know your data. Find out what data and personal data your organisation has, where it’s stored, and in what systems. Planned audits and allocated resources for this work should be scheduled in sooner rather than later.
  • Delete. Make sure that any data you do not need is deleted securely. There are legal requirements to maintain certain types of data. But when data retention is not required, disposing of it helps reduce risk.This needs to be done professionally with specialist equipment or software.
  • Communicate. With any process change, effective communication is essential. Proper internal communications to all employees and external communications to suppliers will help make them aware of changes and give them time to amend their own processes in good time.
  • Assess. Consider a privacy impact assessment. When auditing the business’s processing of personal data in relation GDPR, decide if a privacy impact assessment is required. Consider whether invasive means of collecting personal data are used and if the data is processed fairly and lawfully. Individuals must be informed about the purpose of use and how the business processes personal data in a transparent fashion.

Research Methodology

This research was conducted by Censuswide on behalf of Webroot. Respondents were 501 business decision makers at UK-based small- and medium-sized businesses. Companies needing to comply with the GDPR regulation made up 65 percent (330) of the 501 SMBs surveyed by Webroot. The full report can be found here.

About Webroot

Webroot delivers next-generation endpoint security and network security and threat intelligence services to protect businesses and individuals around the globe. Our smarter approach harnesses the power of cloud-based collective threat intelligence derived from millions of real-world devices to stop threats in real time and help secure the connected world. Our award-winning SecureAnywhere® endpoint solutions, BrightCloud® Threat Intelligence Services, and FlowScape solution protect millions of devices across businesses, home users, and the Internet of Things. Webroot is trusted and integrated by market-leading companies, including Cisco, F5 Networks, Aruba, Palo Alto Networks, A10 Networks, and more.  Headquartered in Colorado, Webroot operates globally across North America, Europe, and Asia. Discover Smarter Cybersecurity solutions at www.webroot.com.

About Us

Webroot delivers next-generation endpoint security and threat intelligence services to protect businesses and individuals around the globe. Our smarter approach harnesses the power of cloud-based collective threat intelligence derived from millions of real-world devices to stop threats in real time and help secure the connected world.