Seven in ten businesses have not allocated any budget to facilitate compliance with stringent new data protection legislation being implemented in May, 2018.

The UK’s first fully compliant GDPR job board, CareersinCyberSecurity.co.uk, and London law firm Hamlins LLP found that hundreds of thousands of UK business were leaving themselves open to “huge fines” after 73% failed to budget for the implementation of the changes they require to comply to General Data Protection Regulation (GDPR).

Research carried out by the two businesses also found that the majority of businesses (53%) had not appointed the Data Protection Officer (DPO) required by GDPR and more than a third of open ended answers amongst respondents revealed they are not planning to do anything about the regulation or do not know what has to be done.

When asked if what would be the main reason for not preparing for the regulation 15% said that they believed Brexit would preclude UK businesses from having to comply, 12% said that they did not have the funds to comply, 10% did not want to get caught up in red-tape and 11% did not consider there to be a business risk.

But all businesses must comply with the new rules and risk fines of up to 4% of their annual turnover it they do not comply.

Simon Wright, operations director, CareersinCyberSecuity.co.uk, said: “Whilst some businesses will be exempt from appointing a Data Protection Officer, there are hundreds of thousands of businesses currently exposed because they do not have the right calibre of staff to deal with data protection law and practices and ensure they can honour all the obligations under the GDPR.

“Experts in the data protection field, could find themselves in high demand and in some circumstances in a good position to name their price, as there is currently an estimated shortfall of 7,000 DPOs in the UK alone.”

Matthew Pryke, a partner at Hamlins who regularly conducts data protection audits for SMEs said: “Despite awareness about the GDPR, too many businesses are complacent and think because of their size or nature of business they are somehow exempt from having to comply.

“Regardless of Brexit, this regulation – even with the words EU fronting the name - will still apply for all businesses operating in the UK. 

“Those who leave it to chance and don’t prepare now, could be left high and dry if the Information Commissioners Office find businesses breach regulations.”

GDPR requires additional information to be supplied to individuals and customers, including the need to identify the legal basis for processing their data and the right for individuals to complain to the Information Commissioners Office if there is any problem with the way an individual’s data is being managed - for example if there is a data breach or data is being passed to third parties without express consent.

Among the key areas of GDPR compliance identified by Hamlins LLP were:

•             Businesses will be required to obtain a positive indication of agreement to personal data being processed.  The consent cannot be inferred from silence, pre-ticked boxes or inactivity;

•             Consent will be required for processing children’s data. Businesses will need a parent or guardian’s consent in order to process children’s personal data lawfully;

•             Rules for obtaining valid consent have been changed.  The consent document should be laid out in simple terms. Silence or inactivity does not constitute consent; clear and affirmative consent to the processing of private data must be provided.;

•             The appointment of a data protection officer (DPO) will be mandatory for certain companies.  These include all public authorities. In addition, a DPO will be required where the core activities of the controller or the processor involve “regular and systematic monitoring of data subjects on a large scale” or where the entity conducts large-scale processing of “special categories of personal data”.

Firms whose core business activities are not data processing are exempt from this obligation. 

The GDPR does not specify credentials necessary for data protection officers, but does require they have both “expert knowledge of data protection law and practices”, report to the highest management level of the organisation and have adequate resources to enable the organisation to comply with the GDPR.