GDPR a year on – how are SMEs shaping up?

From a media perspective, things have been quiet since the introduction of GDPR in May 2018, but that’s not to say that Data Protection incidents have not been in the headlines with the relativity recent British Airways, Facebook and Marriot data breaches.  As yet, no major investigations have concluded and no significant fines have been issued.

Data security incidents reported to the ICO have doubled over the past ten months with the vast majority pinned on human error.  While 2,214 incidents reported last year could be attributed to incompetence or error, only 292 were seen as being related with malicious activity.  Among the most common incidents were 447 instances of confidential data being emailed to the incorrect recipient, 438 instances of loss or theft of paperwork, and 164 instances of data left in an insecure location.

With GDPR now requiring organisations of all sizes to report all potential data breaches to the ICO within 72 hours, the number of recorded incidents is only set to rise with GDPR’s impact growing in 2019 when the full legislative capabilities are realised. If the breach is likely to result in a high risk to the rights and freedoms of an individual, those individuals must be informed without delay.

According to a survey by SME insurer Hiscox, 39% of SMEs still do not know who GDPR actually affects, and a further 10% still believe customers don’t actually have any new rights since the introduction of GDPR even though it’s been 12 months since its introduction last May.

The survey also found that the overwhelming majority of small business owners were not aware of the potential fines for breaching GDPR which, depending on the severity and nature of the breach, range from £7.9m or 2% of the company’s global turnover to £17m or 4% of annual global turnover.

As business advisers we recommend that you have appropriate security in place to prevent the personal data you hold being compromised, whether that be accidentally or purposefully. These measures will depend on your risk assessment and the cost of implementing them.

The responsibility for compliance (any penalties for non-compliance) with GDPR rest with the organisation and therefore your Data Controller and /or Data Protection Officer roles are important ones.

It’s vital that businesses continually educate their teams to ensure breaches are being recorded and lessons learned from those incidents. Check your breaches register regularly and ensure processes are regularly reviewed with the goal of identifying patterns.

Peter Smith, President and COO at Golden Spiral, also advises: “Now that the GDPR has been in effect for a while, most businesses who needed to comply with the regulations have done so (amidst panic and long workdays, nonetheless). But many businesses—specifically B2B tech companies who are located in the U.S., and strictly sell to other businesses in the U.S.—have ridden the bench on the sidelines without changing much of their data policies.

“Here’s what we’re telling our clients about GDPR:

“According to the GDPR, you must let individuals know how their data is being stored and used. This is most commonly done using a business privacy policy. If companies haven’t done so already, they should audit their privacy policy to find gaps and vague content, and update it with precise information on how data is used and stored.

“With GDPR, the opt-in forms for webinars, eBooks, white papers and other content offers, also need to allow a user to provide opt-in consent before a company is allowed to track, retarget or mail those users. This opt-in consent should be added to the bottom of all forms, with a simple checkbox that is un-checked by default for GDPR compliance.”

For further information on GDPR, please contact IT Specialist Richard Bacon on 023 8046 1255 or email richard.bacon@hwb-accountants.com