01732 759725
48
BRIEFING
Only 4% of SMEs
understand impact of GDPR
Most small and medium sized
businesses (SMEs) in the UK have
either not heard of, or are uncertain
about the impact of, the EU’s General
Data Protection Regulation (GDPR),
which was adopted in April 2016 and
takes effect within two years.
In the latest Close Brothers quarterly
survey of UK SME owners and senior
management, 82% have either not heard
of GDPR or don't understand its impact;
a further 14% say they will need to take
further advice.
Only 4% of SMEs say they understand
the legislation and are clear about the effect
GDPR will have on their business.
Ian McVicar, Managing Director of
Close Brothers Technology Services, said:
“GDPR is one of the most significant and
anticipated pieces of legislation conceived
in the EU in recent years. It is intended
to strengthen and unify data protection
for individuals within the EU. What these
results demonstrate is that there is a clear
lack of understanding at all levels and
across all sectors.”
To help businesses prepare for GDPR,
Close Brothers Technology Services
is working with International Data
Corporation (IDC) and developing a series
of business guides on the subject.
Sean Callanan, Director of
Technology Services, said: “Our focus will
be on the areas where technology can help
businesses prepare for GDPR, because much
of the regulation is actually about process.
However, some elements can only be
enabled or managed through technology.”
To get a copy of the first Close
Brothers Technology Services IDC report,
please contact Nick Moody, Director of
Business Development at nick.moody@
closebrothers.com.
Data Protection Officer
shortage must be addressed
Seven thousand Data Protection Officers
will be needed in the UK by May 2018
in order to comply with new EU data
protection rules – regardless of Brexit, warn
GO DPO and Henley Business School.
GO DPO, the strategic partner for
the Henley Data Protection Officer (DPO)
Programme, estimates that around 7,000
large companies (employing in excess of 250
GDPR & data security
must be undertaken as a matter of urgency
in order to protect business continuity in the
face of one of the biggest shake-ups in data
protection for over two decades.
“Our DPO Programme isn’t about
simply training DPOs to be compliant
with European data protection law but
is designed to help senior compliance
managers make the step up to the new
breed of DPO required under the GDPR. It
also opens the door for the private sector
to train senior consultants to provide a
high-quality DPO managed service that will
become an industry in its own right over the
next couple of years.”
The DPO Programme can be experienced
free by registering for the ‘Getting Started’
interactive Module – just click on the green
‘sneak preview’ button on
ac.uk/dpo
The real question
Speaking about Brexit and the GDPR to
an audience of over 200 senior managers
from across the financial services sector,
Alexander Brown, partner at Simmons
& Simmons and head of the firm’s TMT
sector group, said: “While there was stiff
opposition to many measures contained in
the EU General Data Protection Regulation
during the negotiations with the UK
Government, it’s highly unlikely that the
Data Protection Act 1998 will remain in
place without some form of reform. In
any event, it will be difficult to avoid the
implications of the GDPR for many financial
services (FS) clients that conduct business
across the EU and therefore will need to
comply with it.”
He added: "The really interesting
question – as yet to be decided – is
whether the European Commission will
recognise the UK as an ‘adequate country’
for the purposes of cross-border personal
data transfers or whether the UK could
suffer the same fate as the US where
transfers of data have been made more
problematic through the scrapping of the
US Safe Harbor.”
According to the experts, the most
likely outcome is that the EU will make a
determination in favour of the UK as an
‘adequate country’ given it’s been at the
forefront of providing legal protection for
consumers with respect to personal data for
over three decades. The UK was one of the
first countries in the world to empower its
Data Protection Authority to impose fines
for personal data breaches.
Will the
European
Commission
recognise
the UK as an
‘adequate
country’ for
the purposes
of cross-border
personal data
transfers?
employees) will need to recruit and train at
least one DPO each over the next 24 months.
That equates to having to train around
14 DPOs every single working day between
now and when the EU General Data
Protection Regulation (GDPR) comes into
force on 25 May 2018.
Darren Verrian, CEO of GO DPO, said:
“This headline figure of 7,000 DPOs isn’t
a wild exaggeration; if anything, it is an
under-estimate of the actual requirement,
as many banks and insurance companies
employ more than one senior manager to
fulfil the requirements of a DPO whose role
can involve handling millions of customer
and client accounts.”
He added: “Our conservative calculations
are based on figures published by the BIS
at the end of last year and exclude 33,000
medium-sized companies that employ 50-
249 employees, many of which will also need
to appoint a DPO. Not all companies will
want to employ an in-house DPO, but will
opt for a third party-provided DPO managed
service. However, these independent
contractors will also need to be trained.”
Henley Business School has responded
to demand for senior manager training by
launching its own Executive Education DPO
Programme.
Mike Davis, Head of Open Programmes
at Henley Business School, said: “What
the underlying figures for the recruitment
and training of a DPO conceal is the vast
amount of changes to data processing
policies, processes and procedures that
Ian McVicar,
Managing Director,
Close Brothers
Technology
Services
