Over a year following the introduction of the General Data Protection Regulation (“GDPR”), a huge proportion of companies operating in Europe are not complaint with the rules, placing them at significant risk of hefty fines. At the same time, data mismanagement and poor data security means that cyber risk can be a major threat to business.
The GDPR represented the most fundamental change in data protection legislation for the past 20 years and the first attempt to create comprehensive and enforceable laws around data governance, affecting all domestic and international businesses operating in the EU.
However, a year on from the launch of the GDPR, a recent survey of middle market businesses by has found that 30% of those businesses acknowledge that they are not compliant with the GDPR, with an additional 13% reporting that they are unsure either way. This is notwithstanding the growing number of fines from regulators, and the unquantifiable damage to reputations that can occur.
The survey also found that the lack of compliance was not limited to a particular issue, rather a wide range of regulatory obligations: 38% of non-compliant businesses indicated they did not understand when consent was required to hold and process data; 35% were unsure how the use of employee’s personal data should be monitored; and 34% revealed they did not understand what is required to ensure third party supplier contracts were compliant.
Evidently there remains a high degree of uncertainty as to what businesses should be doing.
From a regulatory perspective, the risks are well known. In the UK, the Information Commissioner’s Office (“ICO”) has the power to fine up to €20m (£18m), or 4% of annual global turnover, depending on the severity of the GDPR breach. Recently the international hotel group Marriott was fined almost £100m after hackers stole the records of 339 million guests. Similarly, British Airways was fined more than £183m after hackers stole the personal data of half a million of the airline’s customers.
Such fines dominate the headlines, but there are many other ways in which business can be impacted by cyber-risk. Inappropriate handling or loss of data can cause workplace interruption, divert resource that could otherwise be used to develop the business, and damage reputation both amongst employees and clients.
The short point is this – all personal data must be processed lawfully, transparently, securely and for a specific reason. This includes details of landlords, tenants and customers (even a name and contact number will be caught). Preferably individuals must specifically consent for a business to deal with their personal information, and to receive communications (including marketing communications); albeit the holding of personal information in certain circumstances may be excusable.
The biggest risk to business is a lack of understanding of what they need to do to protect data. There is no “one-size-fits-all” solution of managing a business’s cyber risk policies, but the starting point is to ensure a clear understanding of the legal requirements. That will enable the business to identify areas of risk and weakness, address those areas wherever possible, and put in place a robust mechanism to ensure that if problems do arise, they can be rapidly addressed with minimal cost and damage. Fladgate’s Guidance and Training Sessions, Data Protection Support Sessions, and Breach Response Advice can help you do so.
There is an upside, of course. Ensuring appropriate data risk management processes are implemented and a breach response strategy is in place can make businesses operate more effectively and efficiently, and demonstrate to customers a responsible attitude towards data and privacy.