Nearly one year on, many businesses are still neglecting GDPR. Hiscox's Stephen Ridley, Product Head for cyber and data risks discusses why some businesses still fight shy of compliance with GDPR and why they risk large fines and reputational damage if they fail to comply.
Last year, many of us were bombarded with emails from businesses that held our confidential details asking if we were happy for them to continue holding that information. The reason: the General Data Protection Regulation (GDPR). In May 2019, it will be a year since the introduction of the EU’s data protection law, designed to provide EU citizens with more control over the information companies hold about them.
Despite the publicity that swirled around the new regulation – and those incessant GDPR related emails – there is still a lack of awareness amongst business owners when it comes to the consequences of failing to meet the new requirements. According to a Hiscox survey amongst SMEs, over a third (39%) do not know who GDPR affects. In addition, a further 10% of SMEs don’t think that consumers have any new rights following the introduction of GDPR.
Our survey also revealed that the overwhelming majority of small business owners were not aware of the potential fines for breaching GDPR which – based on two tiers – range from £7.9m or 2% of the company’s global turnover to £17m or 4% of annual global turnover.
It seems, to many businesses, the weight of GDPR communication could simply have resulted in switching off rather than coming to terms with their new obligations. It might be why the UK’s own data regulator – The Information Commissioner’s Office – saw complaints of data breaches up by 160% in the first six weeks after the introduction of GDPR.
Given the potential financial penalties, no business can or should avoid taking a careful look at its GDPR responsibilities and understanding what it has to do to safeguard its customers’ details.
GDPR was introduced to protect consumers by helping to make sure that their data, when held by a third party is more secure. In the digital age, customers have become more aware of the value of their data and it’s likely that there will be increasing instances of group litigation led by lawyers on behalf of individuals who perceive that their data has been misused or mishandled. When it comes to claims, GDPR could easily be the next PPI story.
Your business as a data processor
Under GDPR, when your business collects data, it is in effect processing data. According to the regulation, there are six legal bases for processing that data including consent, legal obligation, and public interest. Consent has been one of the most common areas of focus, not least for all those emails sent out seeking agreement for holding your data. Consent though is not always required, particularly if an organisation is required to hold data based on one or more of the other legal bases mentioned.
Take legal advice
Some businesses have done the minimum they believe is needed such as updating their website’s privacy notice and fall far short of full compliance with the regulation. In particular, how many businesses can say that they could respond to a customer’s request to provide all the personal data they hold on them – what’s known as a subject access request – within the 30-day period laid down by the GDPR?
Offer customers a clear choice
The message is that businesses must take careful note of GDPR and take steps to make sure they are compliant. Transparency is key – being clear as to what personal data they are collecting and why – while there must be a clear choice for customers to opt out or withdraw consent.
Businesses must also have a clear plan of action in the event they suffer a data breach. This is where professional indemnity insurance from Hiscox can be of vital importance when it comes to meeting GDPR requirements. The policy will provide critical help from IT specialists and legal experts to help resolve the incident as quickly as possible, while making sure regulatory requirements are met.
Offer customers a clear choice
While GDPR might seem like more red tape, businesses could gain a number of benefits from GDPR not least in terms of how compliance with the regulation will help companies mitigate a data breach. We all know how damaging a data breach can be so any steps that can help preserve a business’s reputation should the worst happen are welcome. So, while the penalties for ignoring GDPR are great, the long term risks to your business could be even greater.
Help protect your business against data breaches, viruses and other attacks from hackers. Hiscox can help minimise any loss and possible damage to your business and its reputation, IoD members receive 5% discount for the lifetime of your policy.
0800 280 0354
Find out more