Whether you’ve recently set up a small business or you’re well established as an entrepreneur, it’s essential that you take the issue of data protection seriously. To help you, we’ve set out nine things that all small businesses need to know about this crucial topic. We also outline why data protection matters and the potential consequences if you don’t meet your responsibilities under data protection laws.
If you keep information about people for any business or other non-household purpose, you need to get to grips with data protection rules. At their core, these rules are about recognising that people have a fundamental right to privacy, and a right to control their own identities and interactions with others. Data protection laws are set out in UK General Data Protection Regulation (GDPR) and implemented in the Data Protection Act 2018.
Under these laws, everyone who is responsible for using personal information has to follow specified data protection principles. For example, all data must be accurate, used in a way that is relevant and limited to only what is necessary. It must also be handled securely and kept for no longer than needed.
Complying with data protection rules is good business. It will help you to run your company efficiently, saving you time and money. It can also enhance your reputation by showing people that you treat their information with respect and care.
On the other hand, if you fail to meet your responsibilities, you could face serious financial and reputational consequences. The Information Commissioner’s Office (ICO), an independent body established to uphold information rights, can take enforcement action against you. This can include issuing bans on data processing or transfers and imposing potentially sizable fines.
As well as facing penalties from the ICO, you may be subject to private compensation claims from the affected parties, and you could lose trust among consumers.
It’s clear that data protection should be a priority for all businesses, but what else do you need to know about this subject?
Data protection can seem like a technical and difficult subject, but in fact the fundamental principles are based on common sense. The ICO itself states that there is no big secret to avoiding fines. You simply have to make sure that what you do with people’s information is legal and fair, and is clearly spelled out to them. If you’re ever unsure about a system or process, it’s always worth double checking it. This way you’ll stay on the right side of the law and have greater peace of mind.
Following data protection rules isn’t just important for compliance purposes. Consumers also want to know that you’re doing things by the book. People are increasingly aware of the importance of this issue, and of the need to be vigilant when protecting their personal information. With this in mind, it pays to be proactive and clearly spell out to customers what you are doing with their information and why. A simple way to do this is to create a privacy notice. The ICO provides guidance on how to make your own privacy notice, including providing a template to help you to do this.
Effective data protection could help you to secure contracts. Larger companies and organisations with corporate responsibility and ethics policies often make it a prerequisite that suppliers have data protection policies in place. Conversely, companies are less likely to give contracts to businesses that lack these policies or that have a history of data breaches.
So, being strong on this issue could help to give you a competitive edge.
The fines for failing to comply with UK GDPR can be substantial. They fall under two tiers. The first applies to infringements of the data protection principles, or the rights of individuals. If your business is found to be guilty of this, you face a maximum fine of up to 4% of annual global turnover, or £17.5 million, whichever is greater. The second tier of fine applies to infringements of other provisions connected to data protection, such as the administrative requirements of these rules. If you fail to comply with these regulations, you can face a maximum fine of 2% of annual global turnover, or £8.7 million, whichever is greater.
These fines aren’t mandatory. The ICO imposes them on a discretionary basis and in proportion to the nature of the offence. Typically, it does so only as a last resort. That said, there is clearly a significant financial risk if you don’t follow data protection rules.
Data protection isn’t only about handling and storing data in a safe way. There is another element to it – and that is consumers’ rights to their own information. For example, through something called a subject access request, a person can ask you for a copy of the information you hold about them. This happens quite commonly, so it’s useful to have a system in place for dealing with these requests for information. Being prepared will mean you can process any requests as efficiently as possible.
People can also object to the way you use their personal information, particularly if you do so for marketing purposes, and they can challenge the accuracy of their personal data. They also have the right to ask you to delete it. These rights don’t apply in all circumstances, but you need to know the rules, take any requests seriously and make sure you respond to them within a month.
It’s no good having sound data protection systems in place if your staff don’t know of or understand them. This means you’ll need to provide your employees with regular training on this issue to make sure their knowledge and skills are up to date.
Having secure computers and IT systems is at the core of effective data protection. If you don’t get a handle on this issue, you risk serious data breaches.
What are the common causes of data breaches?
The first step to enhancing your IT security is to understand the threats your business faces. Here, we outline what causes data breaches, and how you can resist these threats.
Short for ‘malicious software’, this is a general term for intrusive software created to destroy or damage computers and IT systems. Examples include spyware, ransomware, viruses, adware and worms. Malware is often used by cybercriminals to steal data in order to leverage this information for financial gain.
Weak and stolen passwords
Lost or weak passwords can be used by opportunistic criminals to gain access to personal and confidential information.
This refers to criminals using psychological manipulation to gain access to sensitive information. Phishing emails are a common example. This is when criminals send emails posing as reliable sources. Recipients are encouraged to click links within the emails. In some cases, these links load dummy pages specifically created to steal information. In other instances, they install malware.
The theft or loss of devices such as laptops and tablets that contain sensitive information can result in data security breaches. For example, thieves may break into an office and steal equipment, or a company laptop may be accidentally left on a train and end up in the wrong hands.
Poorly written software applications and network systems that are badly implemented or designed can leave the door open for hackers.
Anyone with bad intentions towards your company, from a disgruntled employee to an unhappy contractor, may copy, steal or alter sensitive data.
How to protect your business against data breaches
As well as being able to identify the data security threats your business faces, you need to know how to prevent data breaches. For example, as part of a cybersecurity plan, you should:
● Install and maintain effective anti-virus software
● Use complex passwords, and avoid sharing passwords
● Keep all hardware and software fully patched and updated
● Ensure staff have ongoing IT security training
● Follow safe practices for wireless security
● Have suitable security measures in place for remote working and working while travelling
● Be on the lookout for possible security threats from personnel
● Take out appropriate cyber insurance in case a problem arises
Even with effective security systems in place, there is always a risk that something will go wrong. It’s therefore essential that you know how to respond to a data protection breach. In serious cases, you need to report the breach to the ICO within 72 hours of discovering it. In less serious instances, you may not be required to report the incident to the ICO, but you should still act quickly to limit the harm caused.
Any delay could make the situation worse, and could therefore result in much greater damage to your business and its reputation.
If you’re unsure of whether the breach needs to be reported to the regulator, you can use the self-assessment for data breaches tool on the ICO site to help you decide.
As we’ve highlighted previously in this blog, the consequences of a data breach can be serious. You may face large fines from the ICO, as well as private compensation claims from the affected parties. In fact, the financial fallout from these lapses can be devastating and potentially put the future of your business in jeopardy.
How can cyber insurance help?
Taking appropriate IT security measures will minimise the chances of a breach, but you can never reduce the risk to zero, particularly as cyber criminals are increasingly sophisticated in their attacks. With this in mind, it makes business sense to take out cyber liability insurance.
This financial cover will protect your business if you fall victim to a malicious attack on your data and IT systems. It will cover the costs of restoring equipment and data, meeting ransom demands and informing the affected parties. It will also cover your loss of net profits and the legal defence fees and damages you may be liable to pay. As well as the extra financial security it offers, this type of insurance can give you added peace of mind.