with the law – this could be to deliver to a regulatory body or as part of a criminal investigation.

• Vital interests – processing needs to be done to protect someone’s life.

• Public task data processing needs to be done for you to complete a task in the public interest, and this has a clear basis in law.

• Legitimate interests – processing is necessary for legitimate interests, such as fraud protection, unless there is good reason to protect the data

Much of the focus so far has been on affirmative consent from

data subjects in order to reduce unsolicited marketing — one of the most noticeable effects being the “cookie consent” pop-up on every new web page visited. But, as Stephen Ridley explains, this isn’t a panacea for all GDPR infractions. “In some cases, this seems to have morphed into a belief that

consent is always required; completely forgetting about the other 5 bases, many of which are often more appropriate. There is also a chance that we could see this misbelief lead

to a rise in complaints, or worse, from consumers, if they have not given consent, but the company processing their data has another lawful basis for doing so.” Businesses can help to protect themselves by taking advice

on their privacy policy and standard contract terms from a lawyer. This will ensure they are using the most suitable basis for processing customer data.

Many SMEs still not fully compliant

Despite the publicity surrounding GDPR, especially in the months before it came into force, our survey showed many SMEs were unprepared for – or misunderstood – the changes. Stephen Ridley believes there are some businesses who seemed to have done the absolute minimum, such as update their website’s privacy notice, and are still a long way from fully complying. The main confusion appears to be around understanding the nature and volume of the data they process. Stephen explains, “I imagine that very few companies would

have adequate and documented processes in place to ensure that they are able to comply with a subject access request (i.e. the requirement to provide a data subject with all of the personal data that is held on them) within the 30-day period as stipulated by GDPR. Failing to do so opens up the potential for regulatory action

by the ICO, and even a financial penalty. These matters would fall into the lower fine bracket, with a maximum of £7.9m or 2% of global turnover – though fines at that level are likely to be reserved for the most severe breaches by large companies.”

GDPR should be taken seriously

The Information Commissioner’s Office (ICO) reports that complaints of data breaches were up 160% in the six weeks since GDPR came into force. From our survey we found 96% of small business owners don’t know the maximum fine for breaching GDPR. This could imply that small business owners aren’t taking GDPR seriously enough which, given the potential damage a data breach could have on a small enterprise, is a worrying statistic. There are two tiers of fine that can be issued under GDPR depending on the nature of the incident. The lower bracket is

(1) Survey of 500 small business owners, conducted by Hiscox, 2018 (2) Additional sources: 17

either £7.9m or 2% of the company’s global turnover, whichever is higher. The second, higher tier is for more severe incidents and this is £17m or 4% of annual global turnover. These fines can be cumulative if there is deemed to be more than one incident of breached data, so the cost of non-compliance can be a hefty one. However, breaches of the new regulation will be considered

on a case-by-case basis. This means the focus will be mainly on the nature of the infringement and take into account a number of things, such as how many customers have been affected and if the company has any previous infractions. The decision to implement a fine, and what level of fine – if any – to be used, depends on how the company reacted to the breach as well as the nature of it. As an SME, the potential fines and figures might seem fairly

abstract, but as GDPR becomes bedded in, the likelihood is that it will be increasingly policed. By ensuring a foundational good practice now, you’ll stand yourself in better stead should anything happen in the future.

There is still time to comply with GDPR

Small business owners need to take notice of the new regulation, as failure to do so can result in severe penalties and reputational damage. Transparency is at the heart of GDPR, meaning small businesses need to be absolutely clear what personal data they are collecting and what it will be used for – and use the most accessible language while doing so. There needs to be a clear option for consumers to opt out, or to withdraw previously granted consent. In the event a business is penalised, having the right insurance might be the difference between folding or continuing to trade. Professional indemnity insurance from Hiscox could be a key factor in helping businesses comply with the strict requirements of GDPR in the event a business suffers a data breach. The policy provides access to a range of experts, such as IT forensics and legal specialists, who can help to resolve an incident as quickly as possible, as well as ensuring that regulatory requirements (such as the need to notify the ICO within 72 hours of discovering a breach) are met. The ICO has been very fair so far and hasn’t penalised companies harshly where they can show that they have taken proportionate action to remedy incidents and comply with the new regulation. But this doesn’t mean SMEs can put GDPR on the back burner – far from it. With so much coverage in the media, there isn’t really any excuse for small business owners to claim ignorance, and the ICO has already shown their willingness to pursue small businesses where they do fall foul of the law.

Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19