GDPR news: GDPR turns six months old

25/05/2018: GDPR is here - are you ready for it?

New laws handing people more control over how organisations use their personal data came into effect today, although many businesses expected to struggle with compliance for months to come.

The EU's General Data Protection Regulation (GDPR) applies to any organisation using or processing the personal data of EU residents, imposing tough penalties on those that fail to protect such information adequately.

"Almost everything we do keeping in touch with friends on social media, shopping online, exercising, driving, and even watching television - leaves a digital trail of personal data," explained information commissioner Elizabeth Denham.

"We know that sharing our data safely and efficiently can make our lives easier, but that digital trail is valuable. It's important that it stays safe and is only used in ways that people would expect and can control."

Her office, the Information Commissioner's Office (ICO), will regulate adherence to the rules in the UK, and can charge up to 4% of a company's turnover, or 20 million, for breaches of the rules - up from 500,000 maximum fine under the 1998 Data Protection Act.

However, on the eve of the regulation's arrival, almost half of British citizens still appeared ignorant of the term GDPR, and one-third uncertain how GDPR would impact them, according to a study conducted on behalf of Top10VPN.com.

Meanwhile, thousands of businesses are expected to miss the deadline for compliance.

Around 60% of UK businesses are prepared for GDPR today, leaving a large minority still struggling to comply, according to a Spiceworks study released yesterday. Just a quarter of US businesses will meet today's deadline, however, and under half of EU organisations expect to be ready.

The biggest problem for those that remain non-compliant is a lack of time and resources, 60% of respondents expecting to miss the deadline told Spiceworks, followed by around 25% citing an inadequate IT budget and those saying compliance isn't a priority for them (30% in the UK and 40% in the US) despite the threat of higher fines.

Some firms such as Wetherspoons have opted to entirely delete their customer databases, deciding holding such data is not worth the risk of non-compliance, while thousands of others are asking customers to re-consent to marketing communications.

Meanwhile some US websites have blocked certain EU countries from accessing their sites while they remain non-compliant, with both The Chicago Times and The LA Times doing so. Other websites asked users to agree to new terms and conditions that comply with GDPR.

The LA Times blocks access from EU member states including the UK

However, speaking ahead of GDPR coming into force, Denham said: "It's an evolutionary process for organisations no business, industry sector or technology stands still. Organisations must continue to identify and address emerging privacy and security risks in the weeks, months and years beyond 2018."

24/05/2018: Almost half of Brits haven't heard of GDPR

With less than 24 hours to go until the EU's new data protection law come into force, a new study has revealed that almost half of people in the UK haven't heard of GDPR.

The study, conducted earlier this week on behalf of Top10VPN.com, showed that 44% of respondents hadn't even heard of the term 'GDPR', despite numerous promotional campaigns and business activity around the new regulations.

While people are broadly aware that data privacy laws are changing, public awareness of what those changes actually entail remains low; one-third of people reported that they had no idea what impact GDPR would have on them, with one in 10 under the impression that giving a company consent to hold your data means that you're unable to revoke it later on (you can).

"Our personal data is a version of each of us - what we've done, what we've read, where we've been and who is in our network," information commissioner Elizabeth Denham wrote in a blog post.

"It is our health status, our financial decisions, our political beliefs and affiliations. Our desire to book a flight, update our browser, or sign up for a service should not be governed merely by terms and conditions set by an organisation. Life is too short to decipher fine print."

"The new laws provide tools and strengthened rights to allow people to take back control of their personal data," she added.

On top of this worrying lack of public awareness, a study released today by think tank Parliament Street showed that UK universities are spending shockingly low amounts on GDPR compliance.

Universities hold some of the largest collections of sensitive personal data in the country, including the financial and academic data of millions of young people, but in spite of this, they are allocating an average budget of just over 40,000 to deal with the regulations.

In total, the 16 academic institutions that disclosed their GDPR budgets spent 640,885, but the actual spending was widely varied. The list was led by Cranfield University, which specialises in post-graduate studies and spent almost 158,000. Heythrop College, the University of London's philosophy and theology branch, came in bottom, with a spend of just 1,462.

This compares to an average spend of 1.3 million for UK firms to comply.

The Information Commissioner's Office (ICO) stressed the business advantages of GDPR to businesses struggling to comply ahead of tomorrow's deadline.

"Governed by these laws, organisations will have the incentive and the opportunity to put people at the heart of their data services," Denham said. "Being fair, clear and accountable to their customers and employees, organisations large and small will be able to innovate with the confidence that they are building deeper digital trust."

As the deadline for GDPR looms, organisations have been scrambling to make sure that they're adequately prepared. So much so, in fact, that the ICO's website was briefly taken offline this morning - presumably by the sheer weight of traffic from organisations attempting to check whether or not they're compliant.

22/05/2018: Less than half of employees aware of company GDPR preparations

Only 43% of UK employees are aware of their company's GDPR preparations, according to new research, despite the incoming regulations coming into effect just days from now.

Just four in 10 staff were aware of what their company was doing to prepare for the data protection legislation, leaving well over half in the dark, One Poll's study of 1,000 UK non-legal and non-technical employees found, carried out on behalf of Egress Software.

One in 10 respondents were unaware they handle personal data in their day-to-day jobs, the survey found, and 57% admitted they couldn't correctly identify when it would need to be protected.

When presented with categories of personal data such as addresses, phone numbers and email addresses, dates of birth, and financial information and asked which information they would need to protect in an email attachment, only 43% correctly identified that all of the data would need to be protected. A fifth of respondents admitted that they didn't know if any of it would need to be secured.

But some firms are getting on with technical compliance, with 42% of employees provided with a way to safely share information at work, such as email encryption, encrypted file transfer or secure project collaboration tools.

However, 20% of people admitted to using personal apps or web services to share company documents - out of sight of IT, which may struggle to control what employees choose to share on their personal devices and apps. Personal email was the most popular non-authorised way to share documents, cited by 12% of respondents, while other answers included social media (7%), messaging apps (7%) and personal cloud storage (3%). This behaviour puts personal data at higher risk of unauthorised access and makes the organisation liable for a data breach under GDPR.

The survey found that the marketing department was the worst offender, with 70% of personnel admitting to having used personal accounts to share corporate data, with social media being the most popular. Employees in this department were also most likely to handle personal data (96% of marketing respondents).

"Most of the time, employees aren't trying to put their company at risk," said Tony Pepper, CEO of Egress.

"They are just trying to get their job done, and often turn to personal apps and devices simply because they find them more convenient. However, this creates massive risk of non-compliance with GDPR, with organisations unable to track where data is stored and who is accessing it."

In a separate survey by secure storage firm Apricorn, 50% of organisations aware of GDPR admit that a lack of understanding of the data they collect and a lack of processes is their number one compliance concern. On top of this, 37% believe they are most likely to fail because of gaps in employee training, and almost a quarter said their employees don't understand the new responsibilities that come with GDPR. Less than a third (29%) of surveyed organisations felt confident they would comply.

17/05/2018: Organisations face losing half of their subscriber base under GDPR

Businesses face a drop-off rate of more than half of subscribers to their marketing and mailing lists after sending 'opt-in' emails under GDPR, new findings show.

With the European Union's General Data Protection Regulation (GDPR) set to come into force by the end of next week, businesses and organisations are seeking to re-obtain consent from their customers and subscribers.

As a result, a slew of emails are being sent from companies requiring their subscribers to actively opt-in to continue to receive updates, with results of a poll commissioned by Accenture Security revealing customers are being inundated - with more than half declining to re-consent.

One in 10 adults have recorded receiving more than 30 such emails in the last two weeks, while 19% of respondents recorded seeing between 11 and 20 emails during this period, an average of one per day.

Of the 2,019 UK adults surveyed, 54% indicated they would not be re-subscribing to organisations' mailing lists when prompted to - with 33% deleting these emails and a further 21% taking no action at all - leaving businesses to face a drop-off rate of more than half to their marketing base.

"GDPR is forcing brands to receive renewed consent from consumers so that they can continue to use their personal data," said Nick Taylor, managing director at Accenture security. "The response to this poll shows that a lot of people, when they realise the information they're sharing, are backing out.

"The brands that will be successful in obtaining this consent are those that view the GDPR 'process' as an opportunity to engage with people, and not as a compliance 'tick-box' exercise. If people can see the value exchange, they will remain enthusiastic and are more likely to grant this consent."

Businesses don't have to re-consent their databases to comply with GDPR as long as those subscribers were gained in a way that is compliant with the legislation.

The findings were part of a survey of data subjects' digital footprints in light of GDPR's 'right to be forgotten'. 70% of respondents agreed that people should have this right, with data security, 68%, and a lack of control over hidden data, 62%, the two greatest concerns.

Among other findings, marketing companies were considered the least trusted to handle personal data, 75%, followed by social media networks, 71%, and dating sites, 70%, with over half of customers saying they saw no benefit of letting companies hold their data.

Taylor continued: "In the past, consumers have voted with their wallets; the GDPR now means they will also vote with their data. This research shows that many people don't fully believe companies will do right by their personal information and so businesses clearly have a job to do to build digital trust.

"Doing this successfully will bring rewards in collecting, segmenting and responding to customer needs. GDPR represents an opportunity for companies to prove themselves, deepen digital trust and do more, not less, with consumer data."

08/05/2018: Companies still unprepared for GDPR

Just six in 10 company directors feel their organisation is fully compliant with the incoming GDPR regulations, according to a new survey from the Institute of Directors (IoD).

Its poll of 700 UK bosses found that many remain unprepared for GDPR, despite the legislation coming into force in less than three weeks.

Business leaders' confidence in their preparations has degenerated over the past six months as the monumental scale of the regulations has hit home, the IoD found. In fact, 40% of respondents admitted they are not confident about how GDPR will impact their companies.

In a previous survey the IoD conducted in August last year, 43% surveyed expressed a high degree of confidence over their preparations and state of readiness, but this has since plummeted to 16%.

Companies were most likely to turn to external private advisors for help in preparing for GDPR, as well as business membership organisations like the IoD and the UK data protection regulator for guidance, according to the IoD. It said it has so far directly assisted more than 1,000 members, providing guidance and template policies.

Jamie Kerr, head of external affairs at the IoD, said that SMBs are struggling to "digest" the sheer scale of the legal changes.

"GDPR has been a long time coming for businesses, but it is only proving more formidable as the deadline looms and companies drill down into the detail," he added. "The regulator has assured small businesses that there will not be a sudden inquisition once the rules enter into effect but with such large penalties for non-compliance, firms must assess what they have to do to avoid falling foul of the legislation, and they must do so soon."

Kerr added that the government's immediate priority should be to "ensure the ICO has the resources it needs to make a big final push to assist small businesses in the run up to this month's deadline".

02/05/2018: UK organisations more prepared for GDPR than EU and US counterparts

Nearly two-thirds (61%) of UK organisations are already compliant with GDPR or expect to be by the 25 May deadline, according to a new survey.

The research, carried out by IT platform company Spiceworks last month, found that in comparison, just 46% of organisations in the rest of the EU and only 25% in the US, were in a similar position.

The company said that the findings indicate most organisations are not concerned about potential GDPR penalties, and as a result, many organisations aren't prioritising compliance.

The survey also found that only 14% of UK organisations, 9% of EU organisations, and 3% of US organisations believe they'll be fined for not complying with the GDPR by the 25 May deadline.

Although concerns over fines are low, respondents do have lingering questions about the impact the GDPR will have on their organisation. For example, around one-third of IT professionals believe the GDPR will make their jobs more difficult, and about 20% believe the GDPR will make it more difficult for their company to do business.

Among organisations impacted by the GDPR, the results show UK organisations are further ahead in their preparations. More than 60% are conducting data audits and documenting their processes to prove compliance, compared to less than half of EU organisations and less than one-third of U.S. organisations. Additionally, 59% of UK organisations are training employees to be GDPR compliant, compared to 54% in the EU and 21% in the US.

The results also show UK organisations are spending the most time on GDPR readiness. Nearly a third (30%) of UK organisations expect their IT department to spend more than 120 hours preparing, compared to 25% in the rest of the EU and 18% in the U.S. Nearly 60% of US organisations expect their IT department to spend less than 40 hours preparing for the GDPR.

"On paper, most IT pros support the principles of the GDPR and want to protect personal data, but in practice, many hurdles are keeping organisations from becoming compliant in a timely manner," said Peter Tsai, senior technology analyst at Spiceworks.

"As a result, European regulators might have their hands full, considering many organisations won't be GDPR compliant for months or years to come, and few believe they will be penalised."

30/04/2018: Charities not ready for GDPR

Charity support organisation Localgiving has warned that charities aren't prepared for GDPR, with almost half of them saying they will not be compliant by 25 May.

Almost a tenth of respondents said they didn't think GDPR applied to them, despite them collecting data, while 30% said they were not even aware of the new regulations.

Just under half of respondents (45%) said they would struggle to be compliant by the deadline.

Localgiving's report, which questioned 686 charities between 31 July and 2 October about the state of their industry sector, said smaller charities were least prepared for the regulation changes. Of those of charities with less than 10,000 annual income, 43% said they would be prepared for the legislation, while 14% didn't think GDPR applied to them.

However, larger charities - those with an annual income of between 501,000 and 1 million - felt much more prepared, with 88% believing they were ready and all of them accepting that the regulations are relevant to their organisation.

The data collected by Localgiving regarding GDPR echoed that of the Institute of Fundraising, which found a third of small charities hadn't "done anything to review data protection or get ready" for the incoming regulations.

25/04/2018: One month to go till GDPR comes into force

With GDPR now just a month away, the government has urged UK businesses to ensure they are compliant in time for the 25 May deadline for the new data protection rules.

The Department for Digital, Culture, Media and Sport (DCMS) today issued a reminder for businesses to ensure they meet the stricter General Data Protection Regulation, or risk financial penalties for non-compliance.

However, recent research has found an alarming number of businesses are struggling to get to grips with the incoming law.

The Federation of Small Businesses (FSB) surveyed its members in March and found a third of small businesses have not begun preparations for the legislation, while less than 10% of organisations were confident of being GDPR-ready.

Meanwhile, over two-thirds of UK firms said in March that they couldn't secure customer data, a priority under GDPR, according to Claranet's stdy of 750 IT decision makers. .

DCMS's warning to UK organisations today read: "Your customers, employees and other individuals need to be able to trust you to look after and use their personal data responsibly and safely. Knowing they can trust you is good for your organisation or business and you may risk a fine if you don't comply."

It provided a link to the Information Commissioner's Office's (ICO's) self-assessment test and advised businesses to see if GDPR affects them by follow the guidance on the ICO's website.

19/04/2018: Facebook rolls out GDPR privacy changes

Reeling from a string of scandals around privacy and users' data, Facebook will roll out greater privacy controls for users in the EU and the rest of the world ahead of next month's GDPR deadline.

The social network's VP and chief privacy officer, Erin Egan, and VP and deputy general counsel Ashlie Beringer, this week outlined how users will be asked to review their existing privacy configurations, while the social media giants applies updates to its terms of service and data policy to comply with the EU's new data protection legislation.

When the GDPR becomes law on 25 May, any organisations handling EU residents' personal data will be expected to comply with a set of stricter rules or face fines of up to 20 million, or 4% of global annual revenue, which, if applied to Facebook, would amount to more than $1.5 billion.

Beringer and Egan said: "We not only want to comply with the law, but also [to] go beyond our obligations to build new and improved privacy experiences for everyone on Facebook.

"We've brought together hundreds of employees across product, engineering, legal, policy, design and research teams.

"We've also sought input from people outside Facebook with different perspectives on privacy, including people who use our services, regulators and government officials, privacy experts, and designers."

Facebook had previously announced at the start of April it would introduce a series of changes to its data policy, alongside committing to apply the provisions outlined in the GDPR to all its users regardless of what country they live in.

As part of the changes, users will be offered greater options for ads based on data from third-parties, the ability to control what information appears publically on their profile, to choose whether they consent to facial recognition features, as well as stronger tools to access, delete and download their information.

Features also be introduced for teenage users, including limiting advertising categories, and turning off facial recognition.

Users in the EU should expect to see changes within the next week, with Facebook deciding to take a phased approach to the rest of the world; applying these changes at a later, unspecified date.

However, Facebook has also come under fire for reportedly seeking to remove its responsibility for treating 1.52 billion users' data under GDPR.

The information of almost 1.9 billion Facebook users from Africa, Asia, Australia and Latin America would need to be protected under GDPR, according to Reuters, because they have agreed their terms and conditions with Facebook's international headquarters in Ireland.

But Facebook plans to remove the vast majority of these additional users from the EU's jurisdiction, vastly limiting its exposure to GDPR.

Stephen Deadman, deputy chief global privacy officer for Facebook, said in a statement emailed to IT Pro: "The GDPR and EU consumer law set out specific rules for terms and data policies which we have incorporated for EU users. We have been clear that we are offering everyone who uses Facebook the same privacy protections, controls and settings, no matter where they live. These updates do not change that."

Facebook instead believes that the wording of GDPR isn't relevant for users outside of the EU, with local laws for other countries not requiring Facebook's local subsidiaries to appoint a data protection officer. The social network argues that it's trying to balance implementing the principles of GDPR for all users with adhering to local laws, which can differ over definitions of what constitutes personal data.

Picture: Bigstock

05/04/2018: Facebook to extend GDPR data protection changes to global users

Facebook CEO Mark Zuckerberg intends to implement the EU's forthcoming data protection changes worldwide, rather than confining them to European users of its platform.

The General Data Protection Regulation is due to come into force on 25 May, applying to all organisations collecting or processing EU residents' personal information, giving those people more control over what companies do with their data and introducing greater potential fines for misuse.

Fresh from its own data misuse scandal, Facebook has announced a string of changes to its data policy, and has also committed to rolling out GDPR to apply to all citizens.

After the social network appeared in news reports yesterday under headlines suggesting it wouldn't extend the new protections to US citizens, Zuckerberg since clarified his remarks in a press conference confirming his company would in fact introduce equivalent safeguards for all users.

"Overall, I think regulations like the GDPR are very positive," he said. "We intend to make all the same controls and settings available everywhere, not just in Europe.

"Is it going to be exactly the same format? Probably not. We need to figure out what makes sense in different markets with the different laws and different places. But - let me repeat this - we'll make all controls and settings the same everywhere, not just in Europe."

Reuters had initially quoted Zuckerberg as suggesting he would implement the "spirit" of GDPR worldwide.

Facebook has toughened up its data protection policy following reports that a data modelling company called Cambridge Analytica had collected millions of Facebook users' profile data to help influence voters ahead of the US presidential election in 2016.

The company in fact harvested up to 87 million users' data, according to Facebook's best estimates, via a university professor's quiz app that was able to access users' friends' profile data as well, under platform rules that existed in 2015 (and have since changed to prevent this).

Zuckerberg admitted that "we didn't do enough" in a press briefing yesterday, and many of the changes to Facebook's terms and conditions bring them in line with GDPR before its introduction next month.

Such changes include explaining how and why Facebook uses people's data, and making its terms and conditions easier to understand. Zuckerberg also claimed that Facebook has had "almost all" of the GDPR requirements in its policies and tools for years, and said it must do a better job of making people aware of this.

Details about how Facebook will roll out GDPR globally, and a timeline for doing so, are yet to emerge. The UK is currently passing a new Data Protection Act to ensure GDPR-style legislation is replicated in native law before the UK leaves the EU.

14/03/2018: Organisations 'are rushing to hire' data protection officers

Many companies that need a data protection officer (DPO) to comply with GDPR appear to have left it late to hire one, with a quarter of such job vacancies being advertised since the start of 2018.

The EU's legislation is set to apply from 25 May 2018, but Joblift's data - culled from vacancies posted on its platform - suggest that organisations are only now rushing to hire a DPO in order to meet compliance requirements set out under the legislation.

Of almost 4,000 DPO vacancies advertised, 1,011 have appeared since January, the company found, with the number of listings increasing by 11% each month - compared to a 3% average for the UK jobs market as a whole.

London firms advertised half of all the DPO vacancies, with Manchester following at 4%, then Birmingham with 3%.

GDPR legislation dictates that organisations seeking to fill the newly-created DPO role should look for someone with "expert knowledge of data protection law and practices", so there has been some speculation as to what kind of person could fill this role.

While Joblift didn't offer any insight about who filled the DPO vacancies advertised, wider data protection role vacancies indicate firms are interested in candidates with legal and security backgrounds. For instance, barristers were the most popular data protection job candidates, followed by legal affairs policy assistants, both of whom have legal knowledge that would provide a sound underpinning for the DPO's responsibilities namely to monitor their company's compliance with GDPR and act as a point of contact for data protection authorities in the case of a data breach.

Security officers were the third-most popular types of candidates to fill data protection roles, with consultancies, law firms and government departments the likeliest recruiters, including PwC, Addleshaw Goddard law firm and HM Land Registry.

GDPR stipulates that organisations must hire a DPO if their core activities involve data processing that requires them to regularly and systematically monitor EU residents on "a large scale".

Firms whose core activities include processing or collecting people's personal data relating to their religious beliefs, ethnicities, trade union memberships, sexuality and more must also hire one, although a number of public bodies can share the same DPO.

12/03/2018: ICO targets micro businesses in new GDPR awareness campaign

The UK's data protection watchdog has launched a new GDPR awareness campaign aimed at helping micro businesses ensure they are prepared for the upcoming regulation changes.

Of the 5.7 million businesses that operate in the UK currently, 5.5 million (96%) employ fewer than 10 employees, accounting for 33% of the nation's employment and 22% of turnover, according to government statistics published in December last year.

However, despite the overwhelming majority, there's a concern that micro businesses are overlooked when it comes to GDPR guidance, with many not even aware of the changes coming on 25 May.

"I'm sure the women and men running micro-businesses in the UK will want to be ready when the new law comes into force, but they may not know where to start, and that is what the new tools and information on our website can help with," said information commissioner Elizabeth Denham.

"For the large majority of micro businesses, the steps towards GDPR compliance can be practical and achievable without costly or expensive external support," added Denham. "It's also worth noting that many sector and industry groups and associations are offering help to micro businesses about the GDPR and can be a good starting point for industry-specific advice."

A series of radio adverts are accompanying the launch of the 'Making data protection your business' campaign, which provides a series of guides on the ICO's website, as well as a self-assessment to check whether the new laws apply to your business.

The campaign follows a report released last week that found over two-thirds of British businesses lacked the necessary capabilities to secure customer data effectively enough to comply with GDPR.

A separate report also found that just 8% of small businesses, which are thought to make up 99% of the UK businesses, believe they are ready for the new regulation changes, with only 35% having started preparations.

05/03/2018: Most UK firms are struggling to secure data ahead of GDPR

More than two-thirds of British businesses cannot secure customer data effectively, a key tenet of the EU's incoming General Data Protection Regulation (GDPR), a new survey has found.

Mere months before GDPR is enforced on 25 May, a study of 750 IT decision-makers demonstrated that security is a key concern for many firms. The study, for Claranet's Beyond Digital Transformation report, found that 69% of respondents admitted to this lack of data security management capability, while another 45% said they face problems around securing customers' details when trying to improve the digital user experience.

Carried out by Vanson Bourne, the survey also discovered that IT teams are trying to acquire the skills and expertise that are essential to tackling this disparity. Four in 10 respondents acknowledged that security is one of the biggest challenges facing their organisation's IT department, and 43% specified improving security as one of the priorities for their IT departments over the next 12 months.

Indeed, the amount of money spent on IT security by European businesses is set to increase by over a third (37%) over the next three years, the research found, when compared to the previous three years.

"This focus on heavier investment in security bodes well for the future and the fact that businesses are aware of where they are deficient means that they have the right mindset in place," said Michel Robert, Claranet's UK MD.

"However, it's important to recognise that much still needs be done in terms of increasing cybersecurity capabilities at a pace rapid enough to ensure GDPR readiness and overall preparedness. Businesses are aware of the challenges they face, but the current level of available expertise can hold back initiatives."

01/03/2018: Smallest firms are yet to prepare for GDPR

A third of small businesses are yet to begin preparing for the EU's General Data Protection Regulation (GDPR) ahead of it coming into force in May, according to a new study.

Just 8% of UK SMBs believe they are ready for the new data protection rules, according to figures released by the Federation of Small Businesses (FSB) this week, while 35% are still in the early stages of preparations.

More than 80% of small firms operating in the financial services industry said they are ready or in the process of becoming ready for GDPR, which will outline tighter controls on what businesses can do with people's personal data.

But over half of FSB members from the hospitality and arts and entertainment industries admitted they have not started preparing for the legislation. In retail, 41% said they haven't started preparations either, while that figure stands at 37% in construction and 28% in manufacturing.

Mike Cherry, FSB national chairman, said: "FSB is in a unique position to reach small businesses and so we're going to step up efforts to help and support them get data ready, while continuing to make sure the government implements the regulation in the fairest way for small firms.

"The GDPR is the biggest shake-up in data protection to date and many small businesses will be concerned that the changes will be too much to handle. It's clear that a large part of the small business community is still unaware of the steps that they need to take to comply and may be left playing catch-up."

The FSB is running an awareness campaign, #FSBeDataReady, to help small businesses understand what they need to do to prepare for the legislation.

UK data regulator the Information Commissioner's Office (ICO) has released specific data protection guidance for small firms, and has set up a helpline to deal with their queries - to call, dial 0303 123 1113 and select option 4.

Information commissioner Elizabeth Denham said: "We know that many small businesses are keen to get it right, but with so much misinformation out there it's difficult for them to know what's right and what's not. It is therefore very welcome that FSB is running this campaign."

19/02/2018: UK firms will spend 1.3m to comply with GDPR

UK businesses have spent an average of 1.3 million to make themselves GDPR-ready ahead of the law applying in May this year, according to a study.

The data protection legislation comes into force on 25 May and is designed to give EU citizens more power over what organisations can do with their data, as well as introducing tougher fines and tighter controls on organisations to prevent data misuse.

With little over three months to go until GDPR becomes law, 72% of organisations worldwide believe they will be ready for it, according to a survey. At 74%, the UK is more prepared than any other European nation surveyed by independent market research firm Coleman Parkes, but the US tops the list with 84% claiming they will be prepared.

Almost half of the nearly 1,000 organisations surveyed by Coleman Parkes, in association with DDI network services vendor EfficientIP, said the biggest advantage of compliance will be gaining customer trust, while 31% said brand awareness would get a boost, followed by 18% hoping it will increase customer loyalty.

Herve Dhelin, SVP of strategy at EfficientIP, said: "As organisations enter the final straight of GDPR compliance with 100 days to go, our research shows they have never been so close to regulatory compliance. There is still some work to do, but it is encouraging to see nearly three-quarters of businesses are ready."

The study comes after a separate survey found that a quarter of London businesses were unaware of GDPR, while other research found that just 18% of firms currently have a procedure to notify customers in the event of a data breach - something they must do under GDPR.

Keumars Afifi-Sabet
Contributor

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.