Survey reveals lack of awareness of GDPR among company directors

The survey, carried out by the Institute of Directors, found that 30% of the 869 IoD members questioned had never heard of the General Data Protection Regulation (GDPR), while 40% did not know if their company would be affected by the new rules.

Of those that said their company would be affected by the GDPR, just 18% said they were very confident how the Regulation would affect the way their business runs.

However, 86% of respondents said they were at least somewhat confident that their business would be fully compliant with the GDPR by the time the new rules begin to apply on 25 May 2018.

Jamie Kerr, head of external affairs at the IoD, called on the UK's Information Commissioner's Office (ICO) to do more to help businesses understand their obligations under the GDPR.

"It is crucial everyone understands just how big this regulatory change will be for business leaders over the next few months," Kerr said. "The regulator has a significant role to play in ensuring that SMEs, as well as larger firms, are fully compliant by May 2018."

"We urge the regulator to step up its engagement with businesses to ensure that they are spreading the message far and wide. In particular, however, it needs to emphasise in simple terms the criteria for compliance, what steps companies will have to take to comply and what the penalties are for not meeting the new standards. As a representative body, we will do our best to work with them to broadcast these messages," he said.

Information commissioner Elizabeth Denham said that businesses should not view data protection law compliance as a 'tick-box' exercise. Instead, she said the GDPR should be thought of as a business opportunity.

"Those organisations which thrive in the changing environment will be the ones that look at the handling of personal information with a mindset that appreciates what citizens and consumers want and expect," Denham said in a speech at the IoD's digital summit on Tuesday.

"That means moving away from looking at data protection as a tick box compliance exercise, to making a commitment to manage data sensitively and ethically. When you commit, compliance will follow. If you haven’t started preparing for the reforms, it’s not too late," she said.

The ICO is expected to publish new guidance on obtaining consent to data processing under the GDPR in December. Further draft guidance on profiling and data breach notification is currently being consulted on by the Article 29 Working Party, which is made up of representatives from national data protection authorities from across the EU, including the ICO.

The Working Party has already issued guidance on carrying out data protection impact assessments (DPIAs), the appointment of data protection officers (DPOs), data portability and regulatory oversight of cross-border issues under the Regulation.