No matter what size your business is, whether you’re a freelancer, micro-business, a small to medium enterprise (SME), or a large market leader, you must adhere to data protection laws when handling sensitive information.
Failure to protect confidential information that you hold, whether it’s your own data or data that you manage for a client, can not only result in a loss of client trust and business, but also exposes that data to misuse for illegal activity such as online fraud, which could lead to legal proceedings against you in the form of a negligence claim.
Creating and building a compliant contacts list for your marketing is not as straight forward as it once was. You must be careful not to ask for unnecessary personal information, whilst also following good practice and offering your subscribers the empowerment to pick and choose what marketing they want to receive from you via a preference centre.
Preference centres are important as they allow the subscriber to control their contact details and marketing preferences, which helps you to not send them any marketing messages that they don’t want. They can also provide valuable information about exactly what the subscriber is interested in, which will help you to tailor your email content accordingly to deliver greater relevance and context to your audience.
The way we all handle and process data has evolved significantly in recent years. Since the online boom really took off at the turn of 1999/2000, personal data has become one of the most significant commodities in the world. As a result it has also become one of the most targeted and there has been an exorbitant rise in cyber crime and data breaches in the past 20 years as a result.
Recently, the Coronavirus pandemic has caused a weakening in online security due to more professionals now working from home, many of whom are working from their own technological devices such as their laptops and mobile phones which do not carry the same level of antivirus protection as their work computers.
This means, that for many, it has become more difficult to follow company data security protocols
In 2021 39% of businesses and 26% of charities reported cyber security breaches or attacks. According to the government’s Cyber Security Breaches Survey 2021 (Page 3), fewer organisations were able to administer their cyber security monitoring protocols (35% in 2021 compared to 40% in 2020) or undertake any form of user monitoring (32% vs 38%). This reduction suggests that they are less aware than before of any breaches and attacks their staff are experiencing.
Of those companies that identified breaches or attacks at least once per week, 27% are businesses and 23% are charities. The most common are phishing attacks (83% and 79% respectively), personal impersonation (27% and 23%) (1).
What is more alarming is that 21% of the businesses reporting attacks and 18% of the charities lost money, data or other assets. “Where businesses have faced breaches with material outcomes, the average (mean) cost of all the cyber security breaches these businesses have experienced in the past 12 months is estimated to be £8,460. For medium and large firms combined, this average cost is higher, at £13,400.” (1) These figures do not consider any penalties imposed for GDPR breaches.
This highlights why it is vital to be vigilant in securing your networks and the data that you handle while following GDPR rules.
Good practice is important to data management and security to ensure business confidentiality is maintained. The risks of a data breach are not confined to immediate monetary loss, but also include:
GDPR rules, brought into force in May 2018, apply to anyone who processes or controls data. This means that all departments and individuals within a business need to be aware of the GDPR legislation and how it impacts their daily tasks. This applies to all areas of a company, from human resources to marketing and sales, to legal and procurement.
GDPR is not to be ignored just because you are a micro business or one-man band. If a business flaunts the GDPR rules it can be punished with a fine. In the UK, fines are determined by the Information Commissioners Office (ICO). Lesser offences can result in fines of up to two percent of a business’s global turnover or €10 million (£8.51 million), whichever is greater. More serious violations can lead to fines of up 4% of a company’s global turnover or €20 million (£17.05 million), whichever is greater.
The ICO will consider a company’s attempts to comply with GDPR, but you’ll be required to prove your processes in the case of a GDPR compliant against you. Hence why it is important to ensure you understand what is required of you so you can mitigate any risk of a data breach and/or communication error which results in a GDPR complaint.
Just how do you prove you are attempting to be GDPR compliant?
Keeping up-to-date records of the data processing activities you are carrying out and noting down the policies you have in place will help you to follow the rules. Records of processing activities must be kept in writing, and while paper and electronic forms are allowed, it’s best practice to keep digital records.
Documents required under GDPR can include the following:
Professional indemnity insurance will pay your legal costs and certain compensation payments that might be awarded if your client takes legal action against you for errors you are alleged to have made when providing professional services, advice or designs for your client. Among many other cover benefits the PI policy offers:
Cover for accidental breach of confidentiality.
Unintentional sharing of confidential client information is quite common and commonly occurs through human error. This falls under the ‘wrongful acts’ portion of the policy document which includes professional negligence.
Insurance if you lose documents or data for which you are responsible.
PI will respond to provide cover for money spent by you in replacing or restoring documents during the policy schedule that has been destroyed or damaged or declared lost, even after a careful search.
Defence costs for data protection legislation prosecution
In the age of digital, data and privacy protection legislation is strict. It can be easy to breach the legislation without knowing. So, it is important to carry professional indemnity insurance to ensure your costs and expenses are covered in the event a claim is made against you should you lose sensitive data that you are handling (3).
Cyber liability insurance will respond to cover your business if you suffer a data breach during the period of insurance. The policy will cover using the cyber response service and the cost of notifying third parties and/or employees of an actual or suspected data breach.
The policy can also cover your legal liability for damages arising from a claim as well as the cost of restoring, replacing, rebuilding, replicating or reinstating computer equipment that has been subjected to a cyber-attack (4).
Protects against claims of alleged negligence in your professional services, advice and designs.
Protection for losses from, fraud, dishonesty, theft, bribery, forgery, and loss investigations.
Covers your business in the event of a malicious attack on your computer systems and data.