Only two-thirds of UK businesses have given their employees specific GDPR training, according to a survey.
This figure falls to just 26% for small businesses, according to Shred-it’s eighth State of the Industry report.
The research, which was carried out on the eve of the legislation coming into force at the end of May, also found, fewer than half (46%) had reviewed policy notices, only 44% of large businesses had documented the lawful basis of data processing, the same proportion had assigned a data protection officer, and only 39% had updated procedures to detect, report and investigate a data breach.
Companies that breach GDPR can face fines of up to €20 million or 4% of annual turnover, whichever is higher.
‘Alarming gap’
The report described the problem as an “alarming gap” that needed to be addressed.
Neil Percy, VP market development and integration EMEA at Shred-it, said: “It might feel like rough justice for employees to be held to account when training is not comprehensive, but it reflects how difficult this process is, even for businesses with extensive resources.
“There may also be an assumption that some elements are common sense, but that potentially belies how easy it is to be duped by skilled phishers and hackers, or even to lose confidential info during the course of a busy day.”