This IDC Survey examines the awareness, activity, and expectations of small businesses (SBs with 10–99 employees) and midsize firms (MBs with 100–999 employees) regarding the European Union's General Data Protection Regulation (GDPR). The regulation, scheduled to take effect May 25, 2018, has strict requirements for the protection of consumer data including encryption and protection of anonymity. Potential penalties are severe — up to €20 million ($28 million) or 4% of annual revenue — for noncompliance, although regulators are more likely to focus on progress toward the goal than penalizing those not quite finished with GDPR conformity.
The extent to which European firms cite compliance with new regulations (like GDPR) as a security priority is examined for small and medium-sized companies. GDPR awareness and engagement are then compared across six different categories: Aware/have taken steps, aware/need to take steps, aware/no action/none planned, unsure of implications/need to comply, not aware/will need to take action, not aware/no action/future action unlikely. The share of firms in general and in detail that have taken specific steps are then examined both regionally (European and non-European) and in detail for seven countries: United States, United Kingdom, Germany, Japan, India, China, and Brazil. The total share of firms aware of GDPR is examined first along with the share of firms that believe they will need to take action to comply. The share of firms planning no action, independent of their awareness of GDPR, is also examined.