Report shows half of small businesses confused by GDPR

Aon’s SME Cyber Survey 2018 has revealed that small businesses lack awareness of data protection, the GDPR (General Data Protection Regulation) and privacy regulations.

Half of those questioned admitted to being ‘confused or unaware’ of the rules around the GDPR, and 68% did not know that data breaches must be reported to the ICO (Information Commissioner’s Office).

More concerning is that eight out of ten SMEs do not see cyber attacks or data loss as a significant risk to their business.

Key findings

25% of the SMEs surveyed allow employees to use their own devices at work, which could result in unencrypted personal data being stored elsewhere and increase the risk of a security incident. 65% do not dispose of confidential paper records correctly.

Four in ten didn’t know that loss of paperwork could be a data breach, while 36% didn’t know that personal data emailed, faxed or posted to the incorrect recipient could also be a breach.

Common mistakes

  • 11% record customer phone calls that include payment information.
  • 11% admitted to having a visitor book in their office that allows anyone signing in to see the details of other visitors.
  • 18% store files potentially containing customer data outside of a defined structure/naming system.

Chris Mallett, a cyber security specialist at Aon, said:

As the results show, many businesses could be in breach of GDPR – most likely without even realising it.

Visitors books, allowing staff to use their own mobiles for work purposes and even seemingly minor things like distributing sponsorship forms around the office carry risk.

Yet these sorts of things are commonplace among businesses big and small across the UK.

Raise awareness

Organisations must address issues quickly and prioritise the areas where a lack of action leaves them most exposed.

One key action is educating your staff. An e-learning course, which can be taken around existing workloads, can be executed quickly and with minimal hassle. Our GDPR Staff Awareness E-learning Course introduces the Regulation and explains the key compliance obligations in non-technical language, which makes it suitable for all employees.

Available in English, French, German, Italian and Spanish.

Get in touch today to request your free trial >>