Warnings to give way to fines on companies that ignore data protection regulations
A year on from the introduction of the General Data Protection Regulation (GDPR), which requires companies to obtain permission in order to hold details of customers and potential customers on their databases, Andy Jenkins, Operations Director of insurance and risk management company Russell Scanlan, says many SMEs still have a long way to go to comply. And not complying will now be more likely to result in a fine.
European data protection agencies have received more than 200,000 reports of breaches of GDPR in the past year. Watchdogs say they have so far been lenient. In future they will be more likely to prosecute.
The introduction of GDPR was one of the biggest raft of changes relating to how businesses collect, store and use data in decades. A great deal of time and effort was put into making sure businesses were ready for the deadline and many of us were bombarded with emails asking if we were happy for companies to continue to hold our personal information.
Despite the publicity given to the new regulation, the ensuing flurry of activity and subsequent high profile fine on Google, there is still a lack of awareness among business owners when it comes to the consequences of failing to meet the new requirements.
During the first few months after GDPR came into operation last year, the Information Commissioner's Office (ICO) in the UK started exploratory investigations into how companies were implementing the new law. At first, the ICO mainly offered recommendations and guidance for companies in breach. In effect, they allowed a bit of leeway and the opportunity for businesses to get their houses in order. However, this phase is now largely over and the one year anniversary will undoubtedly see a ramping up of enforcement, particularly for those organisations that are reported for a second or even third breach.
Rather than highlighting the importance of data protection, examples of high profile fines levied against giants like Google seem to have had a counteractive effect. Many small and medium sized businesses are operating under the misconception that GDPR only really affects large corporations.
According to a Hiscox survey of SMEs, over a third (39%) do not know who GDPR affects. A further 10% of SMEs don’t think that consumers have any new rights following the introduction of GDPR and the overwhelming majority of small business owners are not aware the potential fines for breaching GDPR range, in a two-tier system, from 2% to 4% of a company's annual turnover or £7.9million and £17million, respectively.
GDPR compliance wasn’t a one hit wonder. It requires ongoing attention. As more examples of smaller, less well known organisations facing hefty fines emerge, business owners will be forced to ensure that data protection is front of mind across the whole business.
Given the potential financial penalties, no business can or should avoid taking a careful look at its GDPR responsibilities and understanding what it has to do to safeguard its customers’ details. Transparency is key – being clear as to what personal data is collected and why – while there must be a clear choice for customers to opt out or withdraw consent for the data to be held by a company.
Businesses should work on the five Ws of GDPR: where are the data coming from/ stored/ transferred to; what are the data; who has access to the database; why the business holds the data; and when the data were gathered.
Based on the answers, the business should then devise a Data Protection Policy, which should define the terms of use of data, its policy for retaining the data, security and access.
Next, the company should establish a Data Security Policy and consider using external consultants to undertake network penetration tests and seal any gaps in IT network security - not forgetting the use of any portable devices, which, if they hold personal data, should either be password protected or encrypted. Don’t overlook the physical security to the building in which data are stored, either.
Finally, businesses must also have a clear plan of action in the event of a breach of security. This is where cyber and data risks insurance can be vital when it comes to meeting GDPR requirements. Investigating and fixing a data breach can take a lot of time and money and be extremely damaging to small and medium sized businesses in terms of business disruption, financial costs and damage to reputation. Cyber policies can provide critical help from IT specialists and legal experts to help resolve the incident as quickly as possible, while making sure regulatory requirements are met.
For more information on GDPR and how to make sure you are covered in the event of a cyber breach, contact the Russell Scanlan team.