Learn about the General Data Protection Regulation and how UK businesses are preparing.

The EU General Data Protection Regulation (GDPR) will come into effect on May 25, 2018. This government mandate introduces tougher laws about processing and handling personal data of EU citizens, tightens the timeline for breach reporting, and protects numerous individual rights.

Some businesses in the UK have researched and made preparations for the GDPR. Other still do not know what the GDPR is. Fines for data breaches and non-compliance can range between 4% of a business’s annual global turnover (aka revenue) or €20 Million—whichever is greater.

There are two major parties when it comes to GDPR: Data Controllers and Data Processors. It’s important that organizations determine which group they belong to, so they can understand the scope of their responsibility. Data Controllers are entities or individuals that need to process personal data in order to do business. They determine the purposes for which and the manner in which the personal data is processed. Data Processors take and process personal data on behalf of the Controller.


We interviewed over 250 management and IT professionals in the United Kingdom about GDPR and their GDPR compliance efforts. This infographic is an analysis of their collected responses.

GDPR priority levels among UK businesses

While 44% of UK organizations we interviewed consider GDPR a high priority, 35% still do not know what GDPR is. What does this mean? Sometimes companies are simply busy or they don’t realize how significant the GDPR is to them. There could also be a lack of reliable education and resources.

For those companies that consider GDPR a high priority, there are few GDPR management tools on the market. But, using such a tool is a good way to stay organized and avoid fines down the road. Check out SecurityMetrics GDPR Defense for more tracking options.

How ready are UK businesses for GDPR?

With the May 25th implementation date looming near, organizations report varying levels of readiness. Nearly 50% of companies that we surveyed say they are 50% ready or less for GDPR.

If businesses already follow security standards like the PCI DSS or HIPAA, there may be some overlap in the security controls they already have in place. However, GDPR has a much larger scope and protects data subjects’ rights to a greater extent.

Download our GDPR 101 Webinar

Resource planning for GDPR

We asked businesses how they plan to meet GDPR requirements. Again, a large chunk of respondents report not knowing what GDPR is. For those with a plan, most expect to handle the requirements of GDPR themselves and only 17% will hire someone to help. 

It’s difficult to say yet exactly how much GDPR compliance will cost businesses. The true amount will depend on many factors, including company size, current security controls, the amount of data processed, and the handling methods.

We asked companies what they estimate to spend annually on GDPR compliance. Over half reported that they expect to spend less than $200 annually. Only 9% reported planning for $3000 or more.

Again, the appropriate budget for each company is dependent on many factors and will likely change as time goes on and businesses are more familiar with GDPR compliance. But as of a few weeks before implementation, it appears that companies plan to spend a very minimal fraction of their budget on GDPR compliance.

SEE ALSO: GDPR 101 Part 1 Blog, GDPR 101 Part 2 Blog

What we’ve learned about GDPR readiness in the UK

We found that 62% our respondents already work toward compliance with the PCI DSS. This can be seen as a strength or a weakness, depending on how a company handles its data security overall. While we mentioned that yes, there are overlaps between PCI and GDPR, the scope and breadth of each compliance mandate are different. GDPR applies to all personal data—also known as personally identifiable information (PII)—and its intent is to protect the privacy rights of individuals.

UK respondents were on average only 54% ready for GDPR implementation and 57% consider GDPR a medium-to-high priority. This means that there is still plenty to be done. The key is to find reliable resources and tools that provide a starting point and a map for the GDPR compliance journey.

SecurityMetrics GDPR Defense 

If you have questions about data security mandates or standards like GDPR, PCI DSS, or HIPAA, contact us here.