Almost half of UK businesses expect to be fined for GDPR non-compliance
New research by data privacy experts Ensighten suggests that nearly half (45 percent) of UK businesses have put money aside to cover possible fines connected to GDPR non-compliance. The legislation comes into effect on May 25.
The research investigated UK marketers’ attitudes to data governance, and found that 61 percent of respondents would apply for an extension on the deadline if they had the choice, due to mounting fears that they will not meet GDPR requirements in time.
Just 26 percent of UK marketers stated that they were “very confident” that their data governance procedures were robust enough to be deemed compliant. The majority of businesses were doubtful that they will meet the full standards on time, while seven percent admitted not having implemented any GDPR-relation actions yet, with less than a month until the deadline.
For those marketers that are underway with their GDPR preparations, 63 percent stated that they have new policies in place to increase the quality of data they will receive after 25 May. However, fewer than half (47 percent) of marketers are enforcing new policies on partner data acquisition, which may leave them exposed to GDPR non-compliance.
“Unfortunately, we found that brands are aware, but still uncertain in their final month of GDPR preparation,” said Ian Woolley, chief revenue officer at Ensighten. “The research shows that 45 percent of UK businesses have set money aside in anticipation of regulatory fines. The good news is that brands still have time to deploy and optimize customer privacy and consent options on their websites.”
One of the key reasons that Ensighten found behind this lack of preparation was an absence of accountability, with little consensus among businesses regarding who should be in charge of GDPR overall. According to respondents, 32 percent pointed to the CEO, 26 percent to the chief data officer and 22 percent to the chief marketing officer. Only 14 per cent cited the data protection officer as the risk manager, yet this is a GDPR-mandated position where organizers perform regular and systematic processing of data subjects on a large scale.
“Educating consumers on how their personal data is used and why their permission is needed is essential to building consumer trust and gaining their opt-in consent,” said Woolley. “GDPR is not just a legal hurdle to jump. Whilst brands are putting money aside for fines, they should not underestimate the damage to their reputation and business from not educating customers now.”