The GDPR comes into force in May 2018 and on 24 January 2018 the DCMS released a report indicating how prepared small businesses and charities are for the new legislation. The statistics in the report are taken from the Cyber Security Breaches Survey 2018. The survey was carried out between October and December 2017 and collated responses from 1,519 businesses and a sample of registered charities (569 in total).

The report focuses on how aware businesses are of the incoming changes and how they are preparing for this, especially in relation to cyber security. The key findings include:


The question asked was “Before this interview, had you heard of the General Data Protection Regulation or GDPR?”

The responses indicated that 38% of businesses and 44% of charities are aware of the GDPR, but that smaller organisations are less aware of GDPR than medium and large organisations.

In addition, the sectors that had higher awareness are finance and insurance, information or communications and education. Lower awareness was found in the construction and manufacturing sectors.


The question asked was “Has your organisation made any changes (or not) to the way you operate in response to GDPR?”

It was found that, of those who expressed awareness, only 27% of businesses and 26% of charities have made active changes in response to GDPR. Again, finance and insurance featured highly, with 54% of the businesses who made changes being in these sectors.

For charities, 66 % of those with income at £5 million or over had made changes which is significantly above the sector average of 26%.

Cyber security preparations

The question asked was “Have any of these changes been related to your cyber security policy or processes (or not)? If yes, what changes have you made relating to your cyber security policy and processes?”

Of those that have made changes to how they operate, 49% of businesses and 35% of charities say that changes made relate to their cyber security practices.

Next steps

The government plans to publish key findings from the full report by April 2018, before carrying out qualitative interviews of a subsample of businesses and charities. Further, more detailed, results based on the qualitative studies are expected sometime between summer 2018 and winter 2018/19. The GDPR comes into force on 25 May 2018.