One year on: most companies still not GDPR-compliant

Date: 28 May 2019

A person holds a magnifying glass up to GDPR compliance

Twelve months after the introduction of new data privacy legislation, many organisations are struggling to meet their obligations.

A number of new surveys, published to coincide with the first anniversary of GDPR on 25 May, have found that many businesses are in breach of the data legislation.

Research by Crown Records Management suggests that over 75% of organisations could be struggling with GDPR compliance; its survey has found that only 23% of businesses say their compliance capabilities around GDPR are "very good".

Just 20% of the data professionals surveyed said their data collection and processes are GDPR complaint, leaving many businesses at risk of fines. Almost half of respondents felt that their organisation's data storage methods need improvement (46%), followed by data retrieval processes (44%) and data storage and protection (43%).

Meanwhile, a study by CybSafe concludes that "the majority of UK businesses are in breach of GDPR rules and few have changed their corporate policies as a result of the legislation".

Of the IT decision-makers from UK businesses surveyed by CybSafe, 56% admitted that their business had failed to request consent to store sensitive data and 16% said they had knowingly ignored subject access requests.


Exclusive discount on Microsoft OfficeExclusive discount on Microsoft Office

Get a 10% discount on the latest Microsoft Office 365 Business Premium subscription including Email, Word, Excel, Skype for Business and more.

Save on Office 365


Oz Alashe, ceo and founder of CybSafe, said: "GDPR may have benefited consumers by emptying their inboxes of unwanted mail, but in terms of sparking action amongst businesses, it hasn't been universally impactful. While things have changed for the better in some areas, a large number of organisations are still falling well short of the standards that the legislation has laid out. One whole year on from its introduction, this is disappointing to say the least."

A Twitter poll by Infosecurity Europe 2019 has found that 68% of respondents believe organisations have not taken GDPR seriously and are still not compliant; 47% say GDPR regulators are being too relaxed when it comes to enforcing standards.

Meanwhile, a survey of 1,400 SMEs by Shred-it has found that smaller firms generally have a "positive understanding and engagement with the principles of GDPR". However, while 72% of UK SMEs say they are "very aware" of GDPR requirements, 60% reported that the changes to data protection law have had a "slight" or "no" impact on their business. Only 32% of SMEs said GDPR has had a "great" or "considerable" impact on their business.

"On the surface it is good news," said Ian Osborne, vice president UK and Ireland for Shred-it. "It is clear that many feel they are already compliant with GDPR having reviewed areas such as consent activities and publishing a privacy notice. These typically deal with the front-end aspects of GDPR.

"However ? there is a real question mark over the extent to which the majority of SMEs are prepared to respond to a data breach or how to react to a subject access request, for example. Our survey suggests that there is still a need for a large education exercise to show SMEs what is really involved in GDPR compliance at depth."

Written by Rachel Miller.

Small business news

What does the * mean?

If a link has a * this means it is an affiliate link. To find out more, see our FAQs.