Almost half a million small businesses do not understand their duties under new data protection rules due to come into effect next May.
Challenger bank Aldermore, which published the report, found that two in five small and medium-sized enterprises (SMEs) have not heard of the General Data Protection Regulation (GDPR).
GDPR, the new EU data protection framework, will be law for all UK businesses from May 2018.
Firms who fail to comply with the new rules risk heavy fines – up to €20 million or four per cent of annual global turnover, whichever is higher.
After extrapolating the results, Aldermore estimated that some 420,000 firms are not aware of the new governance requirements, which include strict data reporting and processing requirements.
This is despite the fact that nearly two-thirds of the businesses surveyed said they have previously suffered a “breach of information”.
Carl D’Ammassa, Aldermore’s business finance group managing director, said: “The GDPR is the biggest shake-up in data protection to date and the results are worrying when looking at the amount of businesses that are unaware of the impact it will have on them.
“Data privacy, the appropriate use of customer information and breach notifications all need to be taken incredibly seriously. This is made especially apparent when one considers the increased sanctions businesses face if they don’t keep to the new regulations, including regular data protection audits, and fines of up to €20m or four per cent of their annual turnover for the most serious violations.”