When it comes to legislation names, the European Union’s General Data Protection Regulation (GDPR) couldn’t sound blander but the new rules and their impact are not something that should be underestimated or ignored. When it comes to enforcement – there’s not much time to get familiar with the terminology and ensure compliance within your business as it becomes law in May 2018.
It’s set to significantly change the way in which small medium enterprises (SMEs) manage and store their customer’s data. What’s more, if you’re found to be non-compliant with the storage and handling of data, the business will be subject to tough punishments. It could be fined up to 4% of annual turnover or €20 million (£17.59 million) whichever’s greater, so it’s a piece of legislation that needs to be respected and adhered to.
GDPR will also impose a duty on all organisations to report certain data breaches to the relevant supervisory authority and in some instances to the individuals affected, as well as giving customers the right to be ‘forgotten’, which requires firms to erase all their information.
Essentially, the EU wants to give consumers powerful rights and protection over their data. Consent will have to be given for use of this data. And even though Brexit (the UK’s exit from the European Union) is now in full swing the GDPR legislation will be enforceable in the UK too.
Ian Beeby, a barrister who teaches an intensive GDPR course aimed at data professionals, lawyers and business leaders confirms that Brexit has the potential to complicate the GDPR as it is viewed from the UK, particularly after the UK has left the EU, but he adds: “However, any business owner selling services to or handling the personal information of people who are in the European Union, whether in post-Brexit UK or elsewhere outside the Union, will still need to comply with the provisions of the GDPR.” So, basically, we are stuck with GDPR – whether we like it or not.
But why is it necessary? “By creating the GDPR as a Regulation, a bloc-wide consistency mechanism can be enforced which should, it is hoped, remove some of the inconsistencies in enforcement and approach that exist under the current legislation,” explains Beeby.
“A second and significant reason is that existing legislation does not fully take into account recent developments in technology such as the Internet of Things, Cloud Computing and various business and market developments,” he adds.
Underprepared and exposed
Not prepared yet? You’re not alone. Industry commentators, including specialist bank Aldermore and market research firm YouGov have looked into preparedness among SMEs and the figures aren’t very encouraging.
The latest Aldermore small and medium sized business owners (SMEs) Future Attitudes study revealed this month that less than one in ten (9%) SME owners in the UK fully understands what the forthcoming EU GDPR actually means for their business or have taken the appropriate steps to prepare themselves for it.
Similarly, a recent YouGov survey shows that a mere 29% of UK businesses have started preparing for the GDPR and there are fears that many businesses won’t be ready by May 2018. The YouGov survey highlights that the reason for non-compliance is the lack of awareness. It revealed 38% of the decision makers surveyed said they were not aware of GDPR and 33% thought it was not relevant for their particular sector.
Ultimately, it’s necessary regulation because recent industry figures from the Federation of Small Business show that two thirds (66%) of SMEs have been victim of cyber-crime since their launch. Aldermore’s report, which surveyed over a thousand senior decision makers across the UK, reveals that more than a fifth (22%) of SMEs and their customers have been directly affected by a data breach in the past two years. More than half (55%) of business owners are concerned about cyber-crime and the impact it might have on their firms, a further two in five (39%) SME bosses also anticipating that a cyber-attack could have a significant financial impact on their business.
But sadly, only a third (34%) regard protection against cyber-crime as a high priority and have taken steps to protect themselves. Aldermore added that a further fifth (22%) realise it is an important issue but haven’t found the time to look into appropriate safeguards, with a further one in ten (12%) saying that they cannot afford to shield themselves adequately.
Others don’t blame budgetary restraints as the reason for lack of compliance. Surprisingly, a quarter (25%) business owners said protection against cyber-attacks is not an important issue for their businesses. The research also revealed that only a half (49%) of UK SMEs currently have data breach policies in place around the use of email, internet and mobile devices.
The reality is that all businesses, regardless of size are vulnerable to cyber-attacks. In an earlier post, RiskHeads reported how the Lazarus Group were responsible for a series of devastating cyber-attacks against government organisations, media and financial institutions over the last decade. The largest companies targeted include Sony Pictures, the Central Bank of Bangladesh and earlier this year ‘Petya’ and ‘Wannacry’ malware attacks caused disruption to the National Health Service (NHS) and other large companies.
“The GDPR is the biggest shake-up in data protection to date and the results are worrying when looking at the amount of businesses that are unaware of the impact it will have on them. Data privacy, the appropriate use of customer information and breach notifications all need to be taken incredibly seriously,” points out Carl D’Ammassa, group managing director, business finance at Aldermore. “
He adds: “The danger of cyber-attacks for all businesses, not just SMEs, is an ever present one and is something that is likely to increase as economic activity moves to the digital world. With these attacks having a significant financial and reputational impact on a business, it is crucial all SMEs take adequate time to analyse and protect themselves against this threat.”
How to introduce compliance
Cyber security may be on your radar but you may lack the training to deal with such incidents. However, it’s vital to ensure that you or another member of your company knows what to do when the business is attacked and data is compromised. Knowing what to do in such emergencies will not only ensure that you avoid regulatory fines, but if you act quickly preventing an attack or stopping one can save the business time and money.
If you and your business are one of the many that have not started to consider GDPR and its full impact, it’s best to start now. Adhering to GDPR, while perhaps a bugbear, will ensure that your business upholds the digital rights of its customers and will help to establish trust. Get started by assessing any privacy risks associated with the way in which you conduct your business and get your IT team (whether internal or external) involved in the process to ensure your company’s clients are protected.
Be wary of ‘snake oil salesmen’
Otherwise, there’s plenty of literature about GDPR, especially online, and the Information Commissioner’s Office website has created a handy guide. There’s also training videos and courses to attend but you have to be careful where you get your training from and ensure that you get educated by those in the know.
This can be tricky though. Beeby admits that the current “elephant in the room” with GDPR is the lack of current regulation or accreditation of practitioners, training courses and the like. “There are a significant number of “snake oil salesmen” out there offering, inter alia, software services to render a business “GDPR compliant” when of course there is no such simple solution,” he explains.
He points out that there’s also a difference between “consultancy” and legal advice. “The best approach, in my view, is to consider the whole business as a system and to analyse that system in terms of the nature of personal data held, what processing is taking place, the reasons for it and how it may need to be altered in order to be compliant or, alternatively, what additional checks, processes and balances need to be put in place to be compliant,” says Beeby.
GDPR may mean the end for some businesses that don’t comply or take this regulation seriously. But for those that get the right expertise, there shouldn’t be a worry in complying with the legislation and, inevitably, protecting customers’ precious data.
“There is no doubt in my mind that certain business sectors are going to find their whole business model severely strained by ensuring compliance with GDPR, if that is indeed possible for some. For those businesses non-compliance will likely be fatal to the business itself. For most, ensuring that an appropriate degree of minimisation is carried out and that proper consent and notification are obtained and carried out respectively should enable compliance with the minimum of fuss. To understand what is needed for a particular business will require more than just “consultancy”,” warns Beeby.