Cyber security: Half of UK businesses do not understand new GDPR fines

More than half of UK businesses still do not understand the fines they could face when the European Union’s General Data Protection Regulation (GDPR) comes into effect, according to a new report.

A survey by Sophos found that 54 per cent of firms have little or no understanding of the fines for non-compliance – the lowest rate of any of the European countries in the study.

54 per cent of small businesses and 17 per cent of all companies say they would go out of business if they were fined under the regulation, which can hit firms with fines of up to €20 million (£18 million) or four per cent of their global turnover when it comes into full effect in May 2018.

Although it is an EU regulation, the GDPR will affect organisations around the world that deal with customers in the EU, requiring them to take reasonable measures to protect their customers’ data.

Despite this, 26 per cent of UK organisations are unclear on what they will have to do to comply after Brexit, or think that UK businesses will be exempt once the country leaves the bloc.

It remains to be seen exactly how the GDPR will be implemented, although cyber security experts suspect that unprepared firms that suffer breaches may initially be made an example of.

But only six per cent of UK businesses see the GDPR as their number one priority – and one fifth say it is their lowest priority. Only eight per cent believe they are currently compliant.

Recent research by Duff and Phelps found that 86 per cent of financial services firms are going to spend more on security over the next 12 months due to increased pressure from regulators and clients.

Two thirds of the organisations, which spanned Europe, Asia and the US, thought that cyber security would be a priority for regulators this year in the wake of high-profile attacks.