Small business owners admit they are still ‘clueless’ about GDPR

Small business owners admit they are still ‘clueless’ about GDPR – leaving the personal data of millions of employees and customers at risk.

Researchers who polled 1,000 owners of small businesses found half are confused by the do’s and don’ts when it comes to data protection and privacy regulations.

As a result, owners and employees alike have made mistakes or have procedures in place which could have resulted in a multi-million pound fine for the business.

More than a quarter of those polled allow staff to use their own computers, tablets and phones for work purposes which contravene rules as personal data could be stored unencrypted at home.

And one in 10 revealed they have visitors books in their HQ – where visitors can freely see details of others who have been there previously.

Commissioned by Aon, the research also found paper diaries are used by 26 per cent of businesses – which could contain private information or customer details and be easily misplaced.

Ten per cent said the circulation of printed out sponsorship forms – which often contain names and addresses – is common at their place of work, which is another contravention of GDPR rules.

Chris Mallett, a cyber security specialist at Aon said: “As the results show, many businesses could be in breach of GDPR – most likely without even realising it.

“Visitors books, allowing staff to use their own mobiles for work purposes and even seemingly minor things like distributing sponsorship forms around the office carry risk.

“Yet these sorts of things are commonplace among businesses big and small across the UK.”

The research also found a quarter have used training materials which feature the full details of real-life case studies.

Sixteen per cent have used promotional images which include members of staff wearing their nametags – making them publicly identifiable.

More than half revealed they DON’T dispose of paper customer records securely and confidentially.

And it’s a similar story for staff records (71 per cent), visitor books (86 per cent) and minutes from meetings (78 per cent).

Carried out through OnePoll, the study found four in 10 didn’t know the loss of paperwork could be a data breach.

Thirty-six per cent weren’t aware personal data posted, emailed or faxed to the wrong person could be a breach too.

Six in 10 have no idea the Information Commissioner’s Office (ICO) must be notified of data breaches where individuals’ rights are affected.

And around half didn’t know all those affected must be told as well.

Worryingly a third of owners said it would take their business a week or more to resolve a data breach.

And currently, almost 45 per cent have no insurance whatsoever in place to protect them against cyber or data risks.

Chris Mallett added: “Such a significant proportion of businesses not having cyber insurance is a major worry.

“From talking to our customers we know that many simply can’t guarantee they’re able to successfully defend against a cyber attack and that’s not necessarily their fault – even major corporations are vulnerable.

“How a breach is dealt with by a business is vital, though, and if it’s not done in accordance with GDPR that business could receive a significant fine as well as damaging relationships with customers and losing out on revenue.

“Cyber insurance means those businesses who unfortunately experience a data breach can at the very least rest assured that they have access to specialist support, ensuring a breach will be dealt with in line with GDPR requirements.”

For more information and analysis of the survey findings click here []


1. Allowing staff to use their own computers, tablets or phones for work purposes – if personal data isn’t encrypted
2. Staff using papers diaries used for work purposes and containing personal information – major risk of them being misplaced or falling into the wrong hands
3. Using training materials which feature full details of real life case studies
4. Using images which feature customers to promote your business
5. Storing files which potentially contain personal data outside of a defined structure/naming system
6. Using images to promote your business which feature members of staff wearing nametags
7. Holding unencrypted CCTV footage where individuals are recognisable
8. Recording customer calls which capture customer card details
9. Visitors books where visitors can see other people’s information when signing in – such as names, company they work for, their vehicle registration number etc
10. Staff members circulating sponsorship/charity donation sheets