Business owners are still unprepared for new legislation that could see them fined millions


Upcoming GDPR legislation strategy is proving elusive for SME business owners, and security of metadata is still under-acknowledged.

New research has revealed that two thirds of SME business owners have either no plan in place to tackle, or no knowledge of new upcoming General Data Protection Regulation legislation that could drastically affect their operations.

This means either a steep learning curve, with expensive, last minute compliance and training for employees, or fines of up to €20,000,000 if businesses fail to comply by the mid-2018 deadline.

GDPR will apply to all EU member states as well as businesses trading with EU states from outside the Union. It is intended to establish one set of unified rules for data handling across Europe.

Sensitive data

Of the businesses surveyed, nearly half admit to handling sensitive information like names, addresses and bank details which might be transferred between computers through metadata and would therefore be required to comply with the new data handling legislation.


As part of the new legislation, business owners take on more stringent responsibility for handling of metadata, meaning a very real need to invest in training and new processes to prevent the risk of data breaches and limit their liability. But with the survey revealing that 30 per cent of employers did not even have an awareness of metadata, businesses will need to act fast to ensure that staff are brought up to speed. This rose to 67 per cent for businesses within the finance sector, where management are particularly unaware of the additional information that was being sent along with normal files, despite one fifth of all workers in the sector claiming to send in excess of 1000 attachments every week.

Other sectors

Of those surveyed from the SME legal sector, all said they knew what metadata was, and already had systems in place to manage it. This compares to only half of Public Sector and Government workers, who said the same, despite handling equally sensitive materials. 43 per cent of life sciences businesses stated that they had processes in place to ensure security of data.

Remote working increases risks of data leak

Over half of businesses surveyed allow for remote working; employees are encouraged to work from home, coffee shops and hot desks in off-site locations, rather than lose billable hours travelling between meetings or conferences.

Risks of losing removable storage including USB sticks and external hard drives, portable devices and laptops, or accessing unencrypted Wi-Fi access points commonly used throughout the city, means remote workers will be under increased pressure to ensure the safe transfer of data and scrubbing of sensitive metadata.

What action should businesses take?

“There are a number of important steps that businesses should take before the May 2018 deadline.” Says Ben Mitchell, Vice President of DocsCorp Europe, Middle East, and Africa.

“Firstly, evaluate all internal operations that involve the handling of secure data. Identify any areas that might present the risk of a data breach, and design processes to minimise that risk. Train employees where necessary, and implement smart systems and software to ensure security. Finally, understand the processes for reporting any breach to the proper EU authorities, as failure to report may escalate sanctions, penalties and fines, which can be up to €20,000,000, or 4 per cent of your organisation’s global turnover, whichever is higher.”