Since 25 May 2018 the General Data Protection Regulation (GDPR Insurance) has been in force in the UK and throughout Europe. The GDPR has introduced a whole range of new rules regarding the storing and use of personal information. It provides protection for individuals whose personal data is collected by businesses and organisations.
This means that businesses and organisations have had to audit and review their data collection and processing systems. Doing this remains of great importance as failure to comply with the GDPR can lead to significant fines.
What does GDPR mean for SMEs in the UK?
SMEs in the UK need to pay attention to the effect that the GDPR can have on them. The new regulations are more stringent than anything that came before them and any business or organisation that fails to comply with them can be sanctioned and fined by the Information Commissioner’s Office (ICO).
The GDPR applies to any business or organisation that processes the personal information of people living within the EU. This means that it will continue to apply even if the UK leaves the EU. It’s also important to note that the regulations contained within the GDPR have been written into UK law.
Many organisations and businesses have already undergone the process of auditing and amending their collection and use of personal data. If any SME in the UK has not already done this, they need to take action immediately. All SMEs should also do all they can to protect themselves against potential GDPR issues.
The risks to SMEs in the UK
Every SME in the UK that uses the personal information of customers needs to be aware of GDPR regulations. This applies to a range of SMEs as personal data is collected on many occasions, such as when card payments are processed, invoices are emailed or payment details are collected.
SMEs now need to know what data is held, whether it needs to be held, where is is being held, who collected it and who is responsible for managing it. They need to be able to provide all of this information to customers on request. The maximum time allowed for processing such a request under GDPR is 40 days. This is a relatively short time period, so businesses need to be prepared and have all the information to hand.
Failure to comply with GDPR regulations has serious repercussions for any business or organisation. Fines of up to 20 million euros, or 4% of annual turnover, can be imposed. These figures alone should be enough to make SMEs in the UK take notice of the implications of the GDPR.
How SMEs can protect themselves from GDPR risks
Due to the potential impact of GDPR regulations on SMEs in the UK, all businesses and organisations need to take certain actions in order to protect themselves against the risks. The actions they need to take include:
- Reviewing IT systems and the way information is stored and processed.
- Adopting a more rigorous approach to data protection including developing specific data protection processes and procedures.
- Addressing any issues that could lead to a finding of non-compliance.
- Investing in GDPR insurance to provide protection should any incidents occur.
Examples of GDPR fines in the UK
There have been numerous fines imposed by the ICO before and since GDPR was introduced. Some of these fines have been large but they have yet to exceed the maximum fine level of £500,000 that was in place before GDPR Insurance was implemented. Here are some examples of the fines that the ICO has imposed.
Facebook was fined £500,000 at the time of the Cambridge Analytica scandal. This fine was prominent in the news as an estimated 87 million Facebook users across the globe had their information shared improperly. The information was gathered through a quiz that Facebook members participated in and it was passed on to Cambridge Analytica
Equifax was also found £500,000 for a cyber attack that took place before GDPR rules were implemented. Had GDPR Insurance been in place at the time of the attack, the fine could have been a lot higher. The fine was imposed because the company was found to have failed to protect the personal information of around 15 million UK citizens.
Bounty UK is a pregnancy club in the UK which was fined £400,000 because it shared the personal information of more than 14 billion people in an illegal manner. It collected the information from customers but neglected to inform them of how the information would be used.
A £400,000 fine was imposed on TalkTalk following a cyber attack which enabled the personal data of over 156,000 customers to be accessed. The information that was accessed included bank account numbers and sort codes.
Protection SMEs can get from cyber insurance
It’s obvious that there can be serious repercussions from not complying with the GDPR. This is why SMEs in the UK need to protect themselves. Cyber insurance uk can provide such protection. Any SME in the UK should consider investing in this insurance in order to protect itself against the implications of GDPR rules.
The introduction of the GDPR Insurance has made it easier for people to see how their personal information is being used by businesses and organisations. The rules apply to any business or organisation that processes the personal data of people who live within the EU. The rules have also been embedded into UK law and will continue to apply even if the UK leaves the EU.
Now that the rules are in place, SMEs in the UK need to make sure that they comply with them. Failure to comply can lead to businesses and organisations being subject to large fines. SMEs can protect themselves against the impacts of GDPR by insuring that they review and improve their processes for collecting and processing the personal data of customers. They should also invest in cyber insurance in order to protect themselves against potential risks.