Worryingly, government studies have shown that many UK businesses still lack the appropriate level of training and/or security to mitigate against cyber-attacks (a whopping two-thirds of FTSE350 managers had little-to-no training or involvement in IT security). In the last year cyber-attacks on medium businesses rose two-thirds and it’s becoming more and more clear that small businesses are most at risk when it comes to the financial fall out. With the implementation of the GDPR fast approaching (25th May 1028) such insights in the country’s cyber security have sent tech news outlets into a frenzy. But what is the GDPR?
GDPR stands for ‘General Data Protection Regulation’ and is the EU regulation which will supersede the Data Protection Act 1998. It features stricter protection requirements, harsher financial penalties for lack of data protection measures and data breaches, and grants greater powers to consumers. Although the UK has elected to leave the EU, businesses will still be subject to the Regulation when handling the data of EU citizens.
Small businesses will be subject to the GDPR, with one special consideration; those employing fewer than 250 persons will not be obliged to record their processing activities (Article 30) unless: the processing of data is a regular occurrence or involves data considered ‘special’ or pertaining to criminal convictions and offences. Otherwise there are no distinctions for business size, even regarding financial penalties.
Under the new Regulation a data breach could result in a fine of up to 4% of the previous year’s profit or €20million
whichever is higher, depending on the nature and extent of a breach.
Despite such hefty financial repercussions, the government’s Cyber Security Breaches Survey 2017 found that few small businesses had even heard about the GDPR. It also found that those businesses weren’t preparing for it but rather “felt that they would learn to comply with the new requirements when they came into force”. The key to IT security is taking a proactive approach rather than a reactive one, this will be key when the GDPR comes into full force. Those hoping to make changes when necessary may find themselves caught short as a lack of compliance could land them a financial penalty of up to 2% of the previous year’s profits or €10million. Article 83 sets out a list of factors that may aggravate or mitigate infringements of this nature, many of those factors feature pre-emptive measures mentioned in previous articles of the Regulation.
What is most important to note is that with both financial penalties a business will pay ‘whichever is higher’, i.e. 2/4% of their annual profit, or €10/20million, it’s fair to assume that for small businesses the latter will apply.
Under the new GDPR’s crippling financial repercussions small businesses stand to lose the most. It is more important than ever to take every precaution and invest in your IT security before a more expensive alternative is in effect. How you do business with larger corporations might also be affected as they will need to ensure that their collaborators have sufficient processes in place to protect shared data.
- Read the GDPR. Make sure you understand how the new regulations will apply to your business. You may find the ICO’s overview useful.
- Strive for exceptional data handling and security. Although there are minor exemptions for SMEs, taking extra measures could help maintain good working relationships with larger, more harshly regulated businesses.
- Assess your current IT infrastructure and data protection measures. The ICO has a number of self-assessment kits to help you work out what changes you need to make in preparation for the GDPR.
- Consider using a specialist IT provider. With only 9 months until the GDPR is activated it might be more efficient and cost-effective to seek outside help to ensure all the necessary changes are made, even if your IT is done in-house.