Small and medium-sized enterprises in Greece are largely unprepared for the implementation of the new General Data Protection Regulation (GDPR) code of conduct that goes into effect two days from now, according to the findings of a survey unveiled on Wednesday.

The survey was carried out the General Confederation of Professionals, Merchants and Craftsmen (GSEVEE) in collaboration with the Hellenic Association of Mobile Applications Companies and Kapa Research.

At an event on the application of the new GDPR code held at GSEVEE's auditorium on Wednesday, speakers pointed out a need to create a framework that is friendly to SMEs and allows them to adjust gradually, while pointing out potential problems that may arise, such as lack of clarity over the obligations that companies have under the new code and high compliance costs.

While welcoming the new code of conduct and its aims in principle, GSEVEE also called for measures to ensure equal treatment and protection of citizens and businesses, transparency and accountability, competition on equal terms and reproduction of the real economy without additional costs. It proposed a support mechanism to assist companies' gradual adjustment to the GDPR code, including free information and a guide on the obligations of companies in various sectors on how they can keep data.

Based on the findings of the survey, which was carried out between May 15-21 using a sample of 1,004 enterprises, one third of Greek companies did not know whether it is obliged to declare the information that it keeps on its customers to the Personal Data Protection Authority, while this rose to 39 pct for its staff.

Only one in four businesses said it was well informed about the new GDPR code, while one in three had only heard of it and 43 pct knew nothing about it whatsoever. Nearly half (47 pct) of businesses were unaware of the obligations of businesses under the new code and a significant number was unaware of its exact obligations when keeping data files.

Four in five businesses had taken no action to prepare for the new code internally, while 82 pct had no emergency action plan in case of a data breach, while 80 pct kept data in the form of electronic files, mostly on computers.

The survey also revealed that a large number of small businesses had been approached by private firms offering consultancy services for compliance with the GDPR code, charging prices exceeding 1,000 euros annually. GSEVEE warned that, at such unaffordable prices, many SMEs would resort to the informal economy to avoid the extra cost.

Among consumers, the survey showed that three in four are concerned over the security of their personal data and levels of trust toward companies that collect such large amounts of data (banks, telecoms, electronic platforms, social media) is very low. The information they are least concerned about, however, is identity and address, which means the management burden for SMEs is relatively lower than for larger firms.