The GDPR knowledge gap

How does GDPR apply to your organisation?

Widespread ignorance of the new data protection rules won’t last long – and it won’t do businesses any favours while it does.

The government, at least, is clear: It’s going to be fully implementing the EU General Data Protection Regulation, with UK legislation in the next parliament, according to digital minister Matt Hancock.

That should be no surprise. As a Regulation, GDPR will apply automatically across the EU – even without national law to implement it – in May 2018. At that point, the UK is still going to be a member of the EU. National legislation mirroring its requirements just means businesses and consumers know they’ll have continuity after the UK leaves.

The government, then, is getting ready for GDPR. It’s not so clear others are, though.

A survey of 2,000 people last week showed that close to two thirds (63 per cent) have never even heard of the new rules. Another 14 per cent had heard of the regulation but did not know what it was. That leaves fewer than a quarter with any knowledge of the rules.

Ignorance is bliss?

On the one hand, that might seem like good news for businesses. As we’ve said before, GDPR opens businesses to significant new obligations – and significant penalties for getting it wrong, including fines of up to four per cent of a company’s global revenues or €20 million. A UK public that’s ignorant of their new rights – and therefore less likely to complain – might seem no bad thing.


That, though, ignores a couple of factors: First, the UK data protection regulator, the Information Commissioner’s Office (ICO), will be taking the lead in enforcement. It doesn’t need to wait for complaints. Second, public ignorance won’t last long. The European Commission has already promised public awareness campaigns to bring the new rules to people’s attention so they can “stand up for their rights”.

In the meantime that ignorance won’t help businesses anyway. Those unaware of the new regulations are likely to include sizeable numbers of businesses’ staff, and perhaps even some of those responsible for handling and processing data. These people badly need to know about and understand GDPR. Unless there’s good awareness of their responsibilities and the consequences for failing to meet them, data protection won’t get the attention it needs.

Businesses need to tackle that now and wake up to how the GDPR changes the game – before the rest of the public do.