The UK’s small business community is still “worryingly unprepared” for tough new data protection regulations set to be enforced in less than three months’ time, new research from the Federation of Small Businesses (FSB) suggests.

According to the FSB, 18% of small businesses are totally unaware of the introduction of the General Data Protection Regulation (GDPR) on 25 May, while 34% have only a “little” understanding of it.

Of those small businesses that have taken steps to comply with GDPR, very few are at an advanced stage of preparation, the report added.

More than two-thirds (approximately 3.2 million) have either not yet started to prepare or are only in the early stages of preparations.

In the wholesale and retail sector specifically, 41% have not yet started preparations, while 50% have started but not completed. Just 3% say they are GDPR-ready.

Almost half (43%) of wholesale and retail business plan to seek advice from regulator the Information Commissioner’s Office (ICO).

The FSB urged the ICO to take a “proportionate approach to enforcement” and to support small businesses towards compliance as opposed to resorting to fines.

FSB national chairman Mike Cherry said: “The GDPR is the biggest shake-up in data protection to date. It’s clear that a large part of the small business community is still unaware of the steps that they need to take to comply and may be left playing catch-up.

“With less than 100 days until the changes come into force, the attention now shifts to the ICO and whether it can effectively manage the demands of small businesses seeking advice and guidance. Non-compliance must initially be dealt with in a light touch manner instead of handing down tough penalties.

“The ICO will be critical to creating an environment which focuses on education and prevention and not punishment,” he added.

Information Commissioner, Elizabeth Denham, urged small businesses to visit the website https://ico.org.uk/ where help and advice on compliance was available.

“As regulator, we do have the power to impose larger fines under the GDPR, but we have access to lots of other tools that are well-suited to the task at hand, such as guiding, advising and educating organisations, and these are just as effective,” she said.

This week marks the start of the FSB’s campaign #FSBeDataReady aimed at raising awareness of GDPR among the small business community and supporting them to prepare for the changes.

What the General Data Protection Regulation (GDPR) means to your business

At its heart, the GDPR is designed to prevent personally identifiable information (PII) such as customer names, home, email and IP addresses and bank details, from being collected and used without consent.

As part of the requirements, the use of personal data must be fully consented by the individual, and this must be done with a positive, unambiguous opt-in.

People’s personal data, such as names, addresses and card details, will need to be made anonymous so in the event of an accidental leak or hack they cannot be identified.

Individual rights will also be strengthened so that people must be informed within 72 hours if there has been a breach of their personal data.

Individuals will also be able to request information about the data that a store holds on them and they will have the right to have their data rectified or deleted should they wish.

Retailers will also need to ensure that they inform any third parties and data processors (such as loyalty operators, suppliers and beacon technology operators) when a right to rectification is exercised.

The location and purpose of each CCTV camera will need to be clearly justified and documented.

Under GDPR, any person who enters the store and is recorded on CCTV will also have the right to ask for a copy of their personal data from the footage. Retailers will have to supply this within a month and they must ensure that any other individuals who could be identified in the footage are redacted.

Failure to comply with any of these steps could constitute a breach and be subject to a fine of up to €20m or 4% of turnover - whichever is higher.