New research shows that the average UK SME has spent more than 600 hours in the last year preparing for General Data Protection Regulation (GDPR).

Commissioned by The Data Compliance Doctors, the research was delivered by Atomik Research, and took place from 25 October to 2 November 2017, among a sample of 500 SME owners.

Despite the reported time spent on preparing for the new legislation, due to come into effect on 25 May 2018, two out of five (equivalent to 2.1 million small businesses) have not started to plan for GPDR.

More than a quarter of SMEs said that they had hired new staff to help prepare for GDPR, spending an average of £13,300 on salaries so far. As a result, 54% now feel they have the right expertise in-house. Half of those questioned have also invested in expert guidance or consultancy, spending almost £8,000 each on fees to date.

When asked about their plans, most business owners (69%) plan to contact customers directly for consent to retain and process their data. Many will use a combination of methods, with 70% doing it via email, 43% by phone and 38% by letter. 61% also plan to use the ‘legitimate interest’ route to comply.

Most business owners are scheduling their GDPR compliance outreach between 1 and 15 January 2018.

Lisa Chittenden, Data Compliance Doctor at The Data Compliance Doctors, said: “Our survey has revealed a mixed bag in terms of GDPR preparation among SMEs. Some have spent a lot of time and money to ensure they are in a good position come May 25, 2018.

“However, our figures show there are many thousands that have not even started, despite all the discussion and media stories in recent months. But, with six months to go, it’s not too late to get yourself up to speed.