GDPR One Year On: Have Businesses Done Enough?
A year on from the introduction of GDPR, Andy Jenkins, our Operations Director; explains how many SMEs still have a long way to go to ensure compliance and protect themselves from potential fines as enforcement rates increase.
The introduction of GDPR was one of the biggest raft of changes to how businesses collect, store and use data in decades. A great deal of time and effort was put in to making sure businesses were ready for the deadline and many of us were bombarded with emails asking if we were happy for companies to continue to hold our personal information.
Despite the publicity around the new regulation, the ensuing flurry of activity and subsequent high profile fines, there is still a lack of awareness amongst business owners when it comes to the consequences of failing to meet the new requirements.
During the first few months after GDPR came into operation, the ICO started with exploratory investigations, mainly offering recommendations and guidance for companies in breach. In effect, they allowed a bit of leeway and the opportunity for businesses to get their houses in order. However, this phase is now largely over and the one year anniversary will undoubtedly see them ramping up enforcement, particularly for those organisations that are reporting a second or even third breach.
Rather than highlighting the importance of data protection, examples of high profile fines levied against internet giants such as Google, seem to have had a counteractive effect. Many small and medium sized businesses are operating under the misconception that GDPR only really affects large corporate organisations.
According to a Hiscox survey amongst SMEs, over a third (39%) do not know who GDPR affects. A further 10% of SMEs don’t think that consumers have any new rights following the introduction of GDPR and the overwhelming majority of small business owners were not aware of the potential fines for breaching GDPR which – based on two tiers – range from £7.9m or 2% of the company’s global turnover to £17m or 4% of annual global turnover.
GDPR compliance wasn’t a one hit wonder, it requires ongoing attention. As more examples of smaller, less known organisations facing hefty fines emerge over the coming months and years, business owners will be forced to ensure that data protection is front of mind across the whole business.
Given the potential financial penalties, no business can or should avoid taking a careful look at its GDPR responsibilities and understanding what it has to do to safeguard its customers’ details. Transparency is key – being clear as to what personal data they are collecting and why – while there must be a clear choice for customers to opt out or withdraw consent.
Businesses should work on the 5 W’s of GDPR: where is the data coming from/ stored/ transferred to, what the data is, who has access to the data, why the business holds the data and when the data was gathered.
Based on the answers, the business should then devise a Data Protection Policy, which should define the terms used surrounding data, the reasons the business will use for holding personal data, its data retention policy, aspects surrounding data security and who has access to the data.
Next, the company should establish a Data Security Policy and consider using external consultants to undertake network penetration tests and seal any gaps in its IT network’s security – not forgetting the use of any portable devices, which if they hold personal data should be either password protected or encrypted. Don’t overlook the physical security to the building in which data is being stored either.
Finally, businesses must also have a clear plan of action in the event they suffer a data breach. This is where cyber and data risks insurance can be of vital importance when it comes to meeting GDPR requirements. Investigating and fixing a data breach can take a lot of time and money and be extremely damaging to small and medium sized businesses in terms of business disruption, financial costs and damage to reputation. Cyber policies can provide critical help from IT specialists and legal experts to help resolve the incident as quickly as possible, while making sure regulatory requirements are met.
For more information on GDPR and how to make sure you are covered in the event of a cyber breach, get in touch with our team.