GDPR still a mystery to SMEs: the risks of non-compliance

GDPR is designed to give EU citizens more control over the information held about them online. The regulation impacts every company that handles personal data, but how much do small business owners know about GDPR? And are they aware of how it could affect their business? We speak to the Lead Cyber Underwriter at Hiscox UK, Stephen Ridley, to find out more

The General Data Protection Regulation (GDPR) came into force in May 2018. But despite enormous publicity surrounding the new amendment to the European data protection law, many business owners still lack knowledge about the consequences of not meeting its provisions and requirements. A recent investigation into SME owners’ engagement with the digital landscape(1

) showed that 39% don’t know who GDPR

affects, while 1 in 10 respondents don’t think GDPR gives consumers any new rights. This lack of awareness is concerning as SMEs are putting themselves at serious risk by ignoring the new regulation. Perhaps indicative of why SMEs have failed to engage with the

information distributed about the new regulation, was the answer to the question: “What have you found most annoying online in 2018?”. Alongside nuisance PPI phone calls and website pop- ups, constant communication about GDPR topped the list. This suggests that the efforts made to spread understanding

of the regulation and ensure business compliance have been ineffective – irritating, rather than enlightening, their intended audience. The problem is, this is one area that businesses can’t simply put off until a later date – understanding the new regulation is not an optional extra. So, what is it that SMEs need to know about GDPR?

How GDPR benefits consumers

GDPR is intended to give consumers two main benefits. The first (and perhaps most important) is that their data will be more secure overall. All companies that handle personal data must ensure they have adequate security measures in place to protect the customer data they hold. It doesn’t only apply to the way this data is stored; every aspect of the way customer data is handled is covered. There is also a new 72-hour timeframe in which companies

are required to notify customers of a data breach. This is to give customers adequate time to take action to secure their information, such as changing passwords, at an earlier stage. The regulation will give consumers greater control over their

data. Included in this is the right to have any personal data stored on them by a company ‘returned’ in a format that can be easily passed on, even to a competitor of that company. In theory, this means consumers will be able to get better deals from a number of suppliers with greater ease.

Why your consumers’ data matters

With well-known brands being talked about in the media in relation to GDPR, public awareness is on the increase. Consumers are more conscious of how valuable their personal data is and savvier in demanding it is properly secured. Stephen Ridley — Hiscox Lead Cyber Underwriter — predicts an uptick in public action if consumers feel their personal data has been mishandled: “I think we will only see this increase as awareness is raised amongst consumers of their additional rights, and I can also see a greater number of law firms looking to commence group litigation for individuals, especially as PPI claims dry up.” But while the main focus of the new regulation has been centred around personal data and the steps that need to be taken to protect this, Stephen thinks GDPR could benefit the small business owner. “Going through the process and mitigating the potential for

a data breach will always stand a company in good stead in the long run, as we’ve seen the damage to reputation that data breaches can have. Compliance with GDPR doesn’t mean that a company is guaranteed not to have a breach, but compliance will mean that the company is best positioned to respond in the event that the worst does happen, which is equally as important in protecting their reputation.”

How businesses should process their customers’ data

When you gather information from your customers (whether you are collecting, storing or deleting it) you are — in GDPR terms — processing it(2

). So, if you’re accessing data, for whatever

length of time, you need to be mindful of the rules surrounding this. There are six lawful bases for processing personal data under the regulation. These are: • Consent – you have clear consent to use the data in a specific way; think, gathering browsing data to personalise online adverts.

• Contract – the data is necessary as determined by your contract. For example, processing credit card details when the consumer signs up for a trial period.

• Legal obligation – you need to process the data to comply 16

Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19