Most small businesses in the UK have not updated or reviewed their data security and privacy policies since the GDPR came into force, according to new research from tech firm Appstractor.
The Under Attack: Assessing the struggle of UK SMBs against cyber criminals report assessed the views of 500 IT bosses at small UK companies and revealed the majority are ignoring GDPR risks seven months after the new rules were officially introduced.
Three quarters of those polled said their company is yet to take any action to improve how they store data, with a quarter of businesses having no plans to do so at all.
The findings make for concerning reading, particularly given research published by the Federation of Small Businesses prior to GDPR coming into force which claimed that 90% of small business were not GDPR-compliant.
Paul Rosenthal, CEO of Appstractor, said: “Small businesses have long been in denial about the threat they face from cyber-criminals and it seems this denial has carried over into the risk GDPR carries.
“It is not just the financial risk and the fines that can be imposed under GDPR, but businesses now have a responsibility to report a security breach to those whose data has been put at risk. The reputational damage alone of being known as a company that can’t keep its customers’ data safe can be enough to sink a small business before any financial fines are imposed.”
Whatever steps they decide to take, smaller businesses should at least be reviewing how they gather, store and secure customer data to ensure they are as compliant as possible, Rosenthal added. “Unfortunately, it seems many are not taking GDPR seriously enough which could have serious consequences.”