GDPR compliance failure
25 April 2019
This article was featured in the May 2019 issue of the magazine.
Hiscox UK, the small business insurer, reveals findings of recent research a year on from when the GDPR came into force, and offers advice and reminders
The research by Hiscox (http://bit.ly/2WWXPPH) suggests it’s possible that the information distributed ahead of the General Data Protection Regulation (GDPR) coming into effect in 2018 wasn’t as comprehensible as one would have hoped. With the headlines dominated by threats of monumental fines, it might have been that small- to medium-size enterprises (SMEs) disregarded the GDPR as a problem for the ‘Googles’ and ‘Facebooks’ of the world.
Unfortunately, the GDPR is just as relevant to small businesses as it is large ones. It’s essential to understand how the law affects a business and what to expect for failing to comply. To clear up a few grey areas regarding GDPR breaches and potential fines, here are a few facts.
The fundamental purpose of GDPR is increased data protection. This includes data used for customers, clients, employees, suppliers and prospects; covering their names, addresses, GPS location, bank details, IP addresses, email addresses and more.
In order to maintain better data security across the European Union, businesses are now required to prove they have vigilant processes and measures in place to keep data safe and secure. They are also obliged to offer transparency about how data is being used, including if and when it has been compromised. Failure to demonstrate appropriate actions to comply with GDPR can result in a one-off discretionary caution or can escalate to a fine.
Worryingly, the Hiscox data suggests that nine in ten in SME owners don’t know the main new rights that GDPR gives to consumers. But, if a business relies on the internet wholly or as a support to its day-to-day running, it’s likely that the GDPR will impact its work.
...fines are discretionary rather than mandatory, and each breach is assessed on a case-by-case basis
On a standard day, emails are sent, documents are shared, bills are paid, goods are purchased and external payments are taken – all things involving an exchange or utilisation of private data. In order to offer consumers their rights under the GDPR, data must be handled with care. Examples of activities that may be affected are newsletter mailing lists, cold emailing prospects, storing of customer data and so on. Consumers must opt in to marketing communications (no more pre-ticked newsletter sign up boxes); prospects cannot be sent automated emails without offering consent for their contact details to be used; and only the essential data must be collected when customers sign up or make a purchase.
In the case of a first and non-intentional non-compliance, a business may be issued a written warning. While this isn’t as grave as other potential penalties, it should be taken seriously, as it will be the first and last caution before action is taken. Businesses that have been issued a warning should then expect to undergo regular data protection audits, to ensure the appropriate actions have been taken to adhere to regulations.
If a business is found to be breaching the GDPR, they may be issued a fine by the Information Commissioner’s Office (ICO). There are two tiers of administrative fines that can be levied as penalties for non-compliance:
the first tier is for relatively minor breaches with fines reaching up to EUR10,000,000 (approximately £7,900,000) or 2% annual global turnover – whichever is higher
the second tier is reserved for serious breaches where fines can reach a maximum of up to €EUR20,000,000 (approximately £17,000,000 million) or 4% annual global turnover – whichever is higher.
Contrary to popular belief, fines are discretionary rather than mandatory, and each breach is assessed on a case-by-case basis.
The criteria considered when determining any fine, include:
the nature, gravity, duration and character of the infringement
the level of co-operation
the type of data that has been compromised, and
how the breach came to the ICO’s attention.
To avoid falling on the wrong side of the law, organisations should ensure they have adequate procedures in place for identifying and reporting breaches as well as covering all aspects of data protection. Businesses that are seen to be taking the appropriate action to prevent or recover from a data breach will be treated with more leniency by the ICO.
If your organisation does incur a data breach, notify the relevant authorities within 72 hours. Not only will it demonstrate that you are taking the relevant action to resolve the issue as well as put you in a better position to avoid GDPR fines and penalties in the future, but it will also help to maintain trust among stakeholders and your target consumers.
Hopefully this has cleared up a few areas of confusion when it comes to GDPR. With the threat of potentially grave penalties for non-compliance, it’s worth being up to speed with all the expectations and requirements for SMEs under the new data protection laws.