GDPR study

CERT-LatestNews Malware Security News SocialEngineering ThreatsActivists ThreatsCybercrime ThreatsEconomic ThreatsStrategic

A year after the UK voted to leave the European Union, new research from a network security and threat intelligence product company, has found that UK small- to medium-sized businesses (SMBs) misunderstand compliance to the General Data Protection Regulation (GDPR).

Webroot found that UK SMBs were unsure if they would have to adhere to GDPR regulation after Brexit, despite the need to be compliant if data of European citizens is held by the organisation. Further questioning on GDPR found that SMBs disagree with the primary thrust of the regulation, which is to help ensure the security of personal data across the EU, and lack confidence that they can meet the requirements.

Due to come into effect in May 2018, GDPR is intended to strengthen and unify data protection for all individuals within the EU, and applies to any company doing business within the EU. Noncompliance penalties are greater than under the current ICO regime, with fines up to 20 million euros or 4 percent of global annual turnover.

The research found:

– 46pc of businesses subject to compliance to GDPR were uncertain if they would have to remain compliant to GDPR after Brexit, and 6 percent were certain that they would not

– One-fifth (20 percent) of the companies surveyed subject to GDPR haven’t started the compliance process.

– 71 percent of these businesses haven’t budgeted for the extra resources required to become compliant.

– Nearly three-quarters (73 percent) of those businesses that have to become compliant didn’t think customer data will be any safer due to the legislation.

– Despite 81 percent of those that need to become compliant having heard of the regulation, a third (34 percent) were unable to identify basic regulation details correctly.

– Of this segment, 26 percent thought that compliance was not mandatory, while 8 percent thought the regulation only applied to large businesses.

– Despite needing to become compliant to continue operations as normal, nearly half of UK SMBs (49 percent) are not confident they can meet the stringent requirements for compliance.

– In addition to their confusion about GDPR compliance, 51 percent of all SMB survey respondents believe their business is not at risk of cyberattack, indicating a dangerous misperception about the threat landscape and the need for appropriate security measures.

Adam Nash, Business Sales Leader for EMEA, Webroot said: “GDPR compliance should be a crucial part of every organization’s security strategy. In particular, it’s clear that SMBs urgently need to focus their attention on both GDPR compliance and their wider cyber-security posture. We recommend that all SMBs adopt a multi-layered security approach to meet GDPR; one that includes network security, antivirus protection, and thorough data protection measures.”

The IT security firm offers tips for businesses:

– Act now. This is the biggest change to data protection laws since the current EU Data Protection Directive was passed in 1995. Getting ready for the GDPR will require time and resources to implement new processes. It’s crucial to get started now so your business is ready.

– Know your data. Find out what data and personal data your organisation has, where it’s stored, and in what systems. Planned audits and allocated resources for this work should be scheduled in sooner rather than later.

– Delete. Make sure that any data you do not need is deleted securely. There are legal requirements to maintain certain types of data. But when data retention is not required, disposing of it helps reduce risk. This needs to be done professionally with specialist equipment or software.

– Communicate. With any process change, effective communication is essential. Proper internal communications to all employees and external communications to suppliers will help make them aware of changes and give them time to amend their own processes in good time.

– Assess. Consider a privacy impact assessment. When auditing the business’s processing of personal data in relation GDPR, decide if a privacy impact assessment is required. Consider whether invasive means of collecting personal data are used and if the data is processed fairly and lawfully. Individuals must be informed about the purpose of use and how the business processes personal data in a transparent fashion.


This research was by Censuswide on behalf of Webroot. Respondents were 501 business decision makers at UK-based small- and medium-sized businesses. Companies needing to comply with the GDPR regulation made up 65 percent (330) of the 501 SMBs surveyed by Webroot. The full report can be found here.