GDPR still a mystery to SMEs: the risks of non-compliance

This blog was updated on 3rd May 2019.

GDPR is designed to give EU citizens more control over the information held about them online. The regulation impacts every company that handles personal data, but how much do small business owners know about GDPR? And are they aware of how it could affect their business? We speak to the lead cyber underwriter at Hiscox UK, Stephen Ridley, to find out more.

The General Data Protection Regulation (GDPR) came into force in May 2018. But despite enormous publicity surrounding the new amendment to the European data protection law, many business owners still lack knowledge about the consequences of not meeting its provisions and requirements.

A recent investigation into SME owners’ engagement with the digital landscape(1) showed that 39% don’t know who GDPR affects, while 1 in 10 respondents don’t think GDPR gives consumers any new rights. This lack of awareness is concerning as SMEs are putting themselves at serious risk by ignoring the new regulation.

Perhaps indicative of why SMEs have failed to engage with the information distributed about the new regulation was the answer to the question: 'What have you found most annoying online in 2018?' Alongside nuisance PPI phone calls and website pop-ups, constant communication about GDPR topped the list.

This suggests that the efforts made to spread understanding of the regulation and ensure business compliance have been ineffective – irritating, rather than enlightening, their intended audience. The problem is, this is one area that businesses can’t simply put off until a later date – understanding the new regulation is not an optional extra. So, what is it that SMEs need to know about GDPR?

How GDPR benefits consumers

GDPR is intended to give consumers two main benefits. The first (and perhaps most important) is that their data will be more secure overall. All companies that handle personal data must ensure they have adequate security measures in place to protect the customer data they hold. It doesn’t only apply to the way this data is stored; every aspect of the way customer data is handled is covered.

There is also a new 72-hour time frame in which companies are required to notify customers of a data breach. This is to give customers adequate time to take action to secure their information, such as changing passwords, at an earlier stage.

The regulation will give consumers greater control over their data. Included in this is the right to have any personal data stored on them by a company ‘returned’ in a format that can be easily passed on, even to a competitor of that company. In theory, this means consumers will be able to get better deals from a number of suppliers with greater ease.

Why your consumers’ data matters

With well-known brands being talked about in the media in relation to GDPR, public awareness is on the rise. Consumers are more conscious of how valuable their personal data is and savvier in demanding it is properly secured.

Stephen Ridley, Hiscox lead cyber underwriter, predicts an uptick in public action if consumers feel their personal data has been mishandled: “I think we will only see this increase as awareness is raised amongst consumers of their additional rights, and I can also see a greater number of law firms looking to commence group litigation for individuals, especially as PPI claims dry up.”

But while the main focus of the new regulation has been centred around personal data and the steps that need to be taken to protect this, Stephen thinks GDPR could benefit the small business owner.

“Going through the process and mitigating the potential for a data breach will always stand a company in good stead in the long run, as we’ve seen the damage to reputation that data breaches can have.

"Compliance with GDPR doesn’t mean that a company is guaranteed not to have a breach, but compliance will mean that the company is best positioned to respond in the event that the worst does happen, which is equally as important in protecting their reputation.”

How businesses should process their customers’ data

When you gather information from your customers (whether you are collecting, storing or deleting it) you are, in GDPR terms, processing it.(2) So, if you’re accessing data, for whatever length of time, you need to be mindful of the rules surrounding this.

There are six lawful bases for processing personal data under the regulation. These are

• Consent – you have clear consent to use the data in a specific way; think, gathering browsing data to personalise online adverts
• Contract – the data is necessary as determined by your contract. For example, processing credit card details when the consumer signs up for a trial period
• Legal obligation – you need to process the data to comply with the law – this could be to deliver to a regulatory body or as part of a criminal investigation
• Vital interests – processing needs to be done to protect someone’s life
• Public task data processing needs to be done for you to complete a task in the public interest, and this has a clear basis in law
• Legitimate interests – processing is necessary for legitimate interests, such as fraud protection, unless there is good reason to protect the data

Much of the focus so far has been on affirmative consent from data subjects in order to reduce unsolicited marketing, with one of the most noticeable effects being the 'cookie consent' pop-up on every new web page visited.

But, as Stephen Ridley explains, this isn’t a panacea for all GDPR infractions.

“In some cases, this seems to have morphed into a belief that consent is always required; completely forgetting about the other 5 bases, many of which are often more appropriate.

"There is also a chance that we could see this disbelief lead to a rise in complaints, or worse, from consumers, if they have not given consent, but the company processing their data has another lawful basis for doing so.”

Businesses can help to protect themselves by taking advice on their privacy policy and standard contract terms from a lawyer. This will ensure they are using the most suitable basis for processing customer data.

Many SMEs still not fully compliant

Despite the publicity surrounding GDPR, especially in the months before it came into force, our survey showed many SMEs were unprepared for – or misunderstood – the changes. Stephen Ridley believes there are some businesses who seemed to have done the absolute minimum, such as update their website’s privacy notice, and are still a long way from fully complying. The main confusion appears to be around understanding the nature and volume of the data they process.

Stephen explains: “I imagine that very few companies would have adequate and documented processes in place to ensure that they are able to comply with a subject access request (i.e. the requirement to provide a data subject with all of the personal data that is held on them) within the 30-day period as stipulated by GDPR.

"Failing to do so opens up the potential for regulatory action by the ICO, and even a financial penalty. These matters would fall into the lower fine bracket, with a maximum of £7.9m or 2% of global turnover – though fines at that level are likely to be reserved for the most severe breaches by large companies.”

GDPR should be taken seriously

The Information Commissioner’s Office (ICO) reports that complaints of data breaches were up 160% in the six weeks since GDPR came into force.

From our survey we found 96% of small business owners don’t know the maximum fine for breaching GDPR. This could imply that small business owners aren’t taking GDPR seriously enough which, given the potential damage a data breach could have on a small enterprise, is a worrying statistic.

There are two tiers of fine that can be issued under GDPR depending on the nature of the incident. The lower bracket is either £7.9m or 2% of the company’s global turnover, whichever is higher.

The second, higher, tier is for more severe incidents and this is £17m or 4% of annual global turnover. These fines can be cumulative if there is deemed to be more than one incident of breached data, so the cost of non-compliance can be a hefty one.

However, breaches of the new regulation will be considered on a case-by-case basis. This means the focus will be mainly on the nature of the infringement and take into account a number of things, such as how many customers have been affected and if the company has any previous infractions.

The decision to implement a fine, and what level of fine – if any – to be used, depends on how the company reacted to the breach as well as the nature of it.

As an SME, the potential fines and figures might seem fairly abstract, but as GDPR becomes bedded in, the likelihood is that it will be increasingly policed. By ensuring a foundational good practice now, you’ll stand yourself in better stead should anything happen in the future.

There is still time to comply with GDPR

Small business owners need to take notice of the new regulation, as failure to do so can result in severe penalties and reputational damage.

Transparency lies at the heart of GDPR, meaning small businesses need to be absolutely clear what personal data they are collecting and what it will be used for – and use the most accessible language while doing so. There needs to be a clear option for consumers to opt out, or to withdraw previously granted consent.

In the face of potential penalties and penalisation, having the right business insurance might be the difference between folding or continuing to trade.

Cyber and Data Insurance from Hiscox could be a key factor in helping businesses comply with the strict requirements of GDPR in the event a business suffers a data breach. The policy provides access to a range of experts, such as IT forensics and legal specialists, who can help to resolve an incident as quickly as possible and ensure regulatory requirements (such as the need to notify the ICO within 72 hours of discovering a breach) are met.

The ICO has been very fair so far and hasn’t penalised companies harshly where they can show that they have taken proportionate action to remedy incidents and comply with the new regulation. But this doesn’t mean SMEs can put GDPR on the back burner – far from it.

With so much coverage in the media, there isn’t really any excuse for small business owners to claim ignorance, and the ICO has already shown their willingness to pursue small businesses where they do fall foul of the law.

Find out more about the possible data breach penalties (external link) under GDPR.

___

(1) Survey of 500 small business owners, conducted by Hiscox, 2018
(2) https://gdpr-info.eu/issues/processing/

Additional sources:
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/
https://www.independent.co.uk/news/business/news/data-breach-complaints-increase-gdpr-came-into-force-cybersecurity-a8506711.html
https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2018/06/bible-society-fined-after-security-failings/
https://ico.org.uk/action-weve-taken/enforcement/ainsworth-lord-estates-limited-june-2018/
https://ico.org.uk/action-weve-taken/enforcement/boomerang-video-ltd/