Finger touching GDPR logo showing small businesses may not be meeting the requirements of GDPR
GDPR a Year On: Are Small Businesses Meeting Its Requirements? by Sophie Deering, Writer at Hiscox

GDPR a Year On: Are Small Businesses Meeting Its Requirements?

It’s been over a year since the introduction of the monumental new GDPR (general data protection regulation) laws, marking a huge shift in the way that data is handled by businesses across the EU. Its primary goals: improve data privacy and security and give consumers more control over how their personal information is used. We should, in theory, have seen a significant impact on the state of data security in the EU and more transparency from businesses over the last year. But, have businesses fully grasped what’s required of them under the new regulations? And are they complying?

A recent study investigating UK business owners’ understanding of GDPR by business insurer Hiscox, revealed that 9 in 10 SME owners don’t know the main new rights GDPR gives consumers. Over half of SME owners are also less aware of what GDPR is now than they were when it first came into action. Considering the potential damage a data breach can cause a small business (fines as well as a dent in their reputation), these are worrying statistics.

In light of the discovery that GDPR perhaps isn’t as widely understood as it should be, here’s a brief run through of the requirements. We’ll also have a look at how businesses have responded in the wake of the new laws coming into action.

GDPR: A recap

To recap, GDPR came into effect on 25 May 2018 and was formulated to better regulate the way that online data is collected, stored and used. In short, the general public now have more control over their own personal data and businesses are now required to offer better transparency about how they handle consumer data.

What this means for businesses is that, to stay on the right side of GDPR, they must gain consent to collect and use consumer data, and they must be able to prove that it is necessary and in the interest of the consumer for the business to collect and use their data.

Are businesses complying?

While all EU businesses should have already ensured that they are GDPR compliant, the findings from the Hiscox study suggest that not everyone is up to speed with what they should be doing. It was found that 39% of SME owners don’t know what kinds of businesses need to comply with GDPR. With the low rate of awareness, it’s fair to presume that many businesses aren’t taking the appropriate actions.

A report released by DLA Piper in February 2019 revealed that there were nearly 60,000 reports of data breaches between May 2018 and January 2019, though only 91 fines were issued in that time.

It’s time to take action

If you’re concerned that your business is not complying with GDPR, it’s not too late to take action. After all, GDPR should be seen as an ongoing project, rather than a one-off job. Some companies have even hired specialist GDPR officers to keep their data usage in check, including educating employees on compliance requirements, conducting audits to ensure compliance, maintaining records of data processing activities and more.

Some of the key GDPR actions being taken by businesses include cleaning up their databases and ensuring that they have consent from everyone of whose data they possess. As a consumer, you probably noticed an influx of emails that were sent from businesses to their mailing lists, informing them of changes to their privacy policy and in some cases, asking for people to opt-in to communications.

You may also have seen the introduction of ‘opt-in’ cookie consent pop-ups on websites that require users to actively agree to their cookie usage, as opposed to simply informing them that cookies will be used on the site.

The consequences of a GDPR breach

According to the Hiscox study, 96% of SME owners don’t know the maximum fine for breaching GDPR in percentage of global turnover– which is arguably why so many aren’t regarding GDPR compliance with the urgency it requires.

For the record, there are two tiers of maximum fines that can be issued under GDPR, decided based on the severity of the incident. The lower fine is either £7.9m or 2% of the company’s global turnover (whichever is higher) and the higher fine is £17m or 4% of the company’s annual global turnover (whichever is higher).

Breaches are assessed on a case-by-case basis and some businesses may be issued with smaller fines, warnings, reprimands and compliance with data subject requests if it is decided that the breach does not warrant either of the two maximum tiers of fines.

High-profile GDPR breaches

To date, the business to have been slapped with the largest GDPR fine is Google, who was fined €50 million (£44m) for failing to acquire users’ consent for advertising.

British Airways is also among the list of businesses to be caught out by GDPR, after suffering a ‘malicious criminal attack’ that led to thousands of customers’ data being compromised. The business now faces a potential fine of £500 million or more.

With all this in mind, perhaps it’s time for a self-check. Is your business or employer doing all it can to comply with GDPR? While most reported incidents involve large global organisations, GDPR can impact small businesses equally. Get yourself up to speed with the new requirements and you’ll be in a much better position to avoid any trouble later down the line.