The UK is one of the top three countries, keeping company with Germany and the Netherlands, when it comes to data breaches in Europe since the introduction of GDPR a year ago, according to recent research by DLA Piper. Fines totalling €56m were issued by European data protection agencies in the last 12 months, and with the UK regulator reporting a 490% increase in incidents notified to them in Q2 2018 compared to Q2 2017, the warning is that these penalties are set to rise says Autoline’s Lizzy Watt.
So what can local businesses do to mitigate the risk of costly fines?
Ensuring good compliance processes are in place seems like the obvious answer but a year on and many businesses are still struggling to manage even the most straightforward of GDPR requests from their customers. Surprisingly, such criticisms aren’t just levelled at small or medium-sized businesses. Tech giants including Google, Amazon and Apple have been publicly accused of breaching GDPR after failing to respond to 10 private citizens with basic information requested of them.
It is appreciated that investment in compliance efforts can be expensive for businesses but it’s important to recognise that since privacy and security are closely linked, a primary business advantage for comprehensive GDPR implementation is the safeguarding of customer trust. If a breach occurs businesses will have to regain the trust of consumers and must be aware that they risk not only considerable fines, but perhaps even more fatally, reputational damage in the event of non-compliance.
There is also the lesser-debated issue of insurance. GDPR preparations to date have tended to focus on pure GDPR compliance, such as privacy policies and data retention policies rather than IT security hardening or preparing for a breach. A proliferation of cyber attacks in recent times could, however, expose security gaps even the most GDPR-compliant of businesses.
Whilst cyber security insurance can potentially cover you for a range of different security breaches including data breaches following employee theft, data breaches following the loss of a memory stick, cyber business interruption, denial of service attacks and data breaches following hacking, business owners must read their insurance policies carefully to fully understand what the company and employees are insured against. If you are in any doubt, speak to your insurance provider to make sure your coverage aligns with your organisation’s specific GDPR requirements.
For businesses, particularly SMEs, who are uncertain of where to begin reviewing their GDPR compliance one year on, we would also recommend visiting the Information Commissioner’s Office website – it hosts a Data Protection Self-Assessment toolkit which can be beneficial in helping identify areas which may need re-examined.