How will the new GDPR data protection laws affect you?
You hold personal information; you can’t run a business without it. Whether customers or prospects, the details you hold on computers, memory sticks, up in the Cloud, even on paper, are set to be a bigger risk than ever before. Now you can face huge fines and naming and shaming, with potentially serious reputational damage.
The clock is ticking. It’s time to get your house in order.
What’s this GDPR law change?
In May 2018 the new EU General Data Protection Regulation (GDPR) will bring in a raft of new rules, which not only give citizens more rights over their personal data but also mean huge fines for companies which fail to look after them.
In future, data breaches will not just be an embarrassment but potentially a financial disaster. The fines are huge: up to 4 per cent of turnover or 20 million Euro, whichever is greater.
Applying the new laws to last years’ cases results in a 79-fold rise in the level of fines.
Last year British companies were fined an aggregate £885,000.
The same offences under the new rules would mean fines of £69,000,000
(source: NCC Group)
Surely they can’t fine SMEs twenty million?
Of course those kinds of figures are aimed primarily at big business, but a sliding scale applies and for lots of SMEs, getting stung with any level of fine is a worry.
The point is, GDPR is a law with teeth – big, razor-sharp teeth.
Will Brexit will save us from new EU laws?
No. However hard or soft Brexit is, the growing culture of intrusive marketing has resulted in something of a clampdown. Beefed-up data protection laws are very much wanted by the UK Government and will be crystallised into British law, one way or another.
But we’re one of the good guys…we never hassle people.
The other side of the issue is lists of customer details being accessed illegally and changing hands in places like the Darkweb. Cyber breaches are in the news every day – they are more and more likely to come out.
If you do suffer a breach, and the source is detected - or announced, by the callous criminals themselves – and you neglected to mention it to the authorities, you could face an enormous fine.
The upshot: You can’t stick your head in the sand and hope for the best anymore.
Whether you play fast and loose with the rules, or stick closely to best practice but make a single mistake, the chance of a fine hefty enough to threaten the very survival of your business is about to become real.
The clock is ticking…
Some points of the new law and actions you need to take
The rules are tightening on getting consent to process personal data
Consent must be “freely given, specific, informed and unambiguous.” This means an increased responsibility to keep records of such consent and how it was obtained. You may find you are asked to prove it (especially if these new laws increase people’s general propensity to complain about personal data privacy).
In the event of a breach, you may need to contact people direct
Imagine calling up your customers to explain you’d lost their personal details to a criminal gang. That’s a distressing scenario that is extremely likely happen to some organisations in 2018/19.
One feature of GDPR is the obligation to contact people affected by a data breach (in certain circumstances).
Such scenarios could be enforced if the data loss is considered “high risk” (that is where it poses a high risk to people’s rights and freedoms).
To add a layer of confusion, the concept of risk is left undefined. There are passages of the law that talk about data losses causing “physical, material or non-material damage.” But the circumstances that evoke greater risk are left to ‘objective assessment.’
You may find this worrying, particularly if you process the sort of data where a breach could lead to identity cloning.
To protect yourself, it's a good idea to invest in strong encryption and pseudonymisation. The ICO has reported that companies that do not use encryption may face regulatory action in the event of a data breach.
Report data breaches – and quick
Mandatory reporting of data breaches will become the norm. GDPR will mean reporting within 72 hours of discovery and you may have to explain yourself, possibly under oath.
Among other things, you must notify the authorities upon breach:
- Potential consequences of the data breach
- Measures taken to address the breach
- Actions taken to mitigate the damage and side effects
Clearly not stuff you should be making up on the fly. In-depth cyber risk management and business continuity should be worked on now – long before the GDPR law comes to pass.
The right to be forgotten
You can no longer presume to hold people’s details indefinitely. If you don’t have a legitimate reason to process personal data, you must be prepared to delete it.
Under GDPR, individuals have the right to request you erase all personal data you hold on them.* For example, in a situation where the data is no longer used for the initial reason you collected it.
Is your data organised so well that you could hit delete once and be sure you weren’t going to contact that person again? If you hesitated to answer, you’re probably not ready for GDPR.
*There are a number of exemptions to this, e.g. in compliance with certain contractual, regulatory and legal obligations. Some examples: legal claims, tax purposes, where the processing is in the public health interest or scientific and historical research.
The right to be portable
The right to data portability is new concept under GDPR. It gives people the right to move all of their personal data from one company to another, for example if they choose to defect to your competitor.
Could you pick up and drop off all of a customer's data and hand it over in an acceptable format to a competitor? Or are your records a mix of paper files and various databases?
Getting everything into a single, well backed up system is more important than ever.
Privacy by design and default
Embedding data protection into everyday life in your business will be crucial if you are going to avoid problems.
A full review of your systems and processes would be advisable, starting right away if you’re going to beat the clock and avoid getting hit with a massive fine.
Consider talking to an experienced broker about cyber risk management and insurance cover
The proliferation of new tech and regulatory changes makes having robust, fit for purpose insurance more important than ever.
A policy that covers the costs associated with investigations by regulators can bring peace of mind.
The biggest single data-based mistake is failing to align data risk management with business goals at a leadership level. People used to think, it’ll never happen to us.
With Cyber Security failures now making headlines, and new laws bringing massive fines for data protection malpractice, it is happening, make no mistake.
As a specialist insurance broker with deep knowledge of contemporary business challenges, Howden can provide invaluable advice in getting the right level of cover for your changing business needs.