It is virtually impossible to run any business these days without collecting and storing the personal data of customers or employees.
However, the growing trend right across the world is for individuals to demand – and be granted – more control over the information stored about them.
That is a challenge for many small and medium sized businesses who store mailing lists and the personal details of customers and sales targets, but don’t have a large I.T. department to consider security concerns.
In May 2018, the new EU General Data Protection Regulation will bring in a raft of new rules which not only give citizens more rights over their personal data, but also introduce huge fines for companies which fail to look after them.
In future, data breaches will not just be an embarrassment but potentially a financial disaster - with fines of up to 4 per cent of turnover or 20m Euros threatened.
Of course those kind of figures are aimed primarily at big business, but a sliding scale will apply and for many SMEs any fine at all is a concern.
Britain’s impending exit from the EU won’t make a big difference, either. The new Regulation will almost certainly come in before Brexit is complete – and the principles behind it have already been agreed by the UK government. Even after leaving Europe, Britain’s data law is likely to be very similar.
Here are some of the big challenges the new era of data protection will bring:
- Right to erasure: Under new regulations, citizens will have the right to ask for personal information held by an organisation to be checked, edited or deleted within 30 days. The challenge here is do you know where information is stored and how to access it? Is much of it hidden away in boxes, stored on paper or on formats such as floppy disks which can no longer be read? Or is it inaccessible on old computer servers which have never been upgraded? A secure system, properly backed-up, is required.
- The threat of data breaches: Data breaches make big news and do major harm to reputation as well as incurring fines. Small and medium sized businesses of all kinds are by no means exempt. The amount of data being created in these businesses is growing all the time and the threat is only going to increase.
- Requirement to report breaches promptly: The new regulation will require organisations to report breaches quickly, perhaps within 72 hours, and fines will be issued to those who do not comply. The question for smaller businesses is who can access data if a key manager or board member is away? How quickly can they respond?
- Privacy by design: New rules mean businesses must think about the privacy and rights of those it stores data on and use systems that comply with the new regulations. Only information which individuals have given express permission to be collected can be stored.
The pace of technological and regulatory change makes having the right insurances in place more vital than ever – particularly protection against the threat of cybercrime. A main commercial policy may provide some cover towards the cost of recovering data and lost income. However a cyber liability policy could also cover subsequent fines and investigations from data protection regulators.
A specialist insurance broker, with knowledge of the challenges commercial businesses face, will provide invaluable advice, reassurance and obtain the right level of cover to meet business needs.