There is still a lot of GDPR ignorance amongst SMEs with 46% of respondents to a survey saying they haven’t heard about the new directive.
The survey, conducted on behalf of SME specialist lender and savings bank Aldermore, also revealed that less than one in ten (9%) UK SME owners fully understand the implications of GDPR on their business and have taken any appropriate steps to prepare for it. This lack of awareness is in contrast to the USA where 92% of US multinationals surveyed by PwC named GDPR as a top priority, and 77% plan to spend $1 million or more on compliance.
With less than nine months remaining until the Global Data Protection Regulation comes into force on May 25th 2018, these statistics are worrying.
Financial implications for a breach are high
The new framework is designed to strengthen and unify how data is protected for all individuals and, as we reported in our earlier blog – Demystifying GDPR for the SME Sector – the financial implications of a breach will be costly. Fines for being non-compliant are up to 2% of annual worldwide turnover in the previous financial year or €10 million, whichever is the greater for minor breaches and 4% of annual worldwide turnover in the previous financial year, or €20 million, for major breaches.
With data breaches hitting the headlines with increasing frequency, Aldermore’s report (which surveyed more than 1000 senior decision makers across the UK), also reveals that more than a fifth (22%) of SMEs and their customers had been directly affected by a data breach in the past 24 months.
Surprisingly though, only 34% of those surveyed identified cybersecurity as a high priority and have taken steps to protect their business data.
Here are the four things all UK businesses need to know about GDPR
1 – The concerns are justified
This isn’t a new “Millennium Bug”. The concerns and “scaremongering” are justified. All UK businesses that hold data or buy data lists – however small, and irrespective of Brexit – will have to comply with this new regulation by the deadline or risk fines of up to 4% of their annual turnover worldwide if they breach GDPR.
But, more importantly, the effects on your business brand if you are found to be in breach of GDPR could be even more damaging as your company name will appear in headlines associated with a lack of security. After Talktalk admitted breaching existing UK data protection laws, and were fined £400,000, they also lost 100,000 customers.
2 – Brexit won’t make any difference
The UK Government has already issued a statement that it will adhere to GDPR whether or not the UK remains within the European Union or not. In a video released by the ICO, Information Commissioner Elizabeth Denham talks about “the biggest change to data protection law for a generation.” The ICO has also issued a 12 Steps to Take Now guide which is a must read.
3 – Data protection is good for business
Cybercrime is big business so getting it right and earning the reputation for being a trusted brand fully compliant with all data protection regulations can only be a benefit. Data privacy is treated as a basic human right under GDPR, meaning customers can have more faith in the many businesses they entrust their data with.
Meeting ISO 27001 – the new information security standard – will demonstrate to customers and stakeholders their information security policy is robust and fit for purpose.
4 – GDPR isn’t a one-off
Compliance with GDPR isn’t going to be a one-off event, it will be ongoing and businesses which get on top of their data protection now will be a better position to make sure they avoid an expensive fall out from a breach.
There are no 100% guarantees of never falling victim to a data breach, but ensuring any data your company holds meets with GDPR as well as the UK’s Data Protection Act and the Privacy and Electronic Communications Regulations will go a long way.
Next steps to take
Robust data protection is not simply a burden on an organisation; good data protection practices should protect both brand and reputation, and improve data quality. An organisation with mature data protection practices should be able to meet many of the GDPR’s requirements.
Seriously consider employing or nominating a Data Protection Officer. Steve Durbin, managing director of the Information Security Forum (ISF), believes a DPO is essential for many organisations to understand the impact of GDPR as soon as possible.
The ISF recommends that an organisation should:
- determine the applicability of the GDPR to data processing activities
- evaluate the effectiveness of data protection controls
- assess the scope of data protection capabilities
- understand the consequences if the GDPR’s requirements are not met
- aim to comply by 25 May 2018
At the heart of being GDPR compliant is good data management. Work out what personal data you have. Where it is? How did you get it? Get rid of it if you don’t need it.
GDPR is possibly only the start of tighter regulations. Hopefully companies introducing data protection roles within their business operations will help define a new data era – one which is responsible and fair to users and that leads to smarter – and more secure – companies.
You can follow the IOC’s Twitter account to get up to date information on GDPR @ICOnews and make sure you read our other blogs on the subject: