Can UK SMEs withstand the repercussions of GDPR non-compliance?

A good percentage are not even aware of one employment requirement

Can UK SMEs withstand the repercussions of GDPR non-compliance?


By Terry Gangcuangco

First it was the Ogden rate, then the Insurance Premium Tax – and of course there’s the bigger issue of Brexit, as well as the ever-growing cyber threat – but now one of the hottest topics in the industry is the General Data Protection Regulation (GDPR) to be implemented on May 25, 2018. Oddly enough, amid much talk about the imminent rule changes, not everyone is in the loop.

In October we told you about a study which found that 39% of 250 insurance brokers in the UK are not even aware of GDPR. Now this same lack of awareness is likely to become a risk for small-and-medium sized enterprises (SMEs) or those with less than 250 employees, according to the Zurich SME Risk Index.

Zurich’s survey of more than 1,000 SME owners in the UK found that, while 85% would be impacted by the new rules, 44% of those did not know that businesses dealing with large amounts of data will be required to employ a data protection officer (DPO) or satisfactory equivalent. Currently, only 34% of surveyed SMEs have an employee serving that function.

What’s worrying is that there’s a predicted shortage in cybersecurity workers, with Zurich citing an estimated 3.5 million vacancies in the field by 2021. Without the necessary cybersecurity staff, British SMEs may find themselves failing to comply and facing fines.

As reported, the monetary penalty can be as high as 4% of a business’s total worldwide annual turnover or as much as approximately £18 million. The question now is whether SMEs in the UK can withstand this.     

According to the risk index, only 28% of SME owners can guarantee at this point that they could continue to operate following such a hefty fine. In fact, 9% believe they would be forced to close down operations if penalised.

“Cybersecurity trained staff are already a rare and highly sought after commodity, and business leaders should be gravely concerned about their ability to find and hire data security personnel,” commented Paul Tombs, Zurich head of SME proposition. “If your business requires a DPO, then investing in training current staff is probably the quickest and simplest solution given the current job market for these individuals.

“Stomaching the investment in training now may be hard to bear, but the repercussions for not doing so will be dire.”

Related stories:
GDPR: Exposures, claims, premium rates could all increase
New EU rules looming – and many UK brokers aren’t ready

Keep up with the latest news and events

Join our mailing list, it’s free!