How To Protect Your Business From GDPR Penalties
When the General Data Protection Regulation (GDPR) was introduced in March 2018, most commentators missed the most pressing issue. And that could have left thousands of UK businesses vulnerable to GDPR penalties.
Few commentators in the digital marketing sphere recognised the devastating impact the EU’s heavy-handed approach to data protection would have.
At the time, news and advice were centred around how companies were obligated to inform consumers about how and why your business collects, processes and share their personal data.
Hardly anybody mentioned that companies were also responsible for protecting personal data from cyber theft.
That revelation only surfaced over the last couple of years. Jaw-dropping fines including the multi-million dollar penalties the ICO handed out to the likes of Google ($57m), British Airways ($26 million) and Marriott ($23.8 million) have been the most high-profile to date.
On 7 June 2021, it was reported that a total of €293,830,537 has been collected by national data protection authorities in Europe.
What impact could GDPR penalties have on your business?
GDPR Penalties: The Cost of Non-Compliance
The consequences of non-compliance with the European General Data Protection Regulation (GDPR) can have devastating consequences for a business.
GDPR is generally thought to prevent businesses from selling the personal data of consumers to the highest bidder. Annoying targeted ads, unauthorised emails phishing scams and cold calls were all supposed to be eradicated.
In reality, GDPR has prevented none of the above. We may not get as much spam these days, but we’re all still receiving more phishing scams and unsolicited emails than we would like. It begs the question of whether GDPR actually works to protect consumer data.
What we are seeing is an increase in GDPR penalties handed out to businesses and institutions that have a responsibility to protect the personal data of UK and European citizens. And it can be quite easy to breach consumer data rights.
Gloucester police were fined £80,000 after a police officer inadvertently putting the email addresses in the ‘To’ column rather than the ‘bcc’ when he sent out a bulk email. Because the email address of 56 other people was exposed to all recipients, the Information Commissioner’s Office (ICO) deemed the error to be a serious breach of GDPR.
In the past, the ICO has said the purpose of GDPR is to “go after larger global and sometimes multi-national companies where the old £500,000 fine would just be pocket change.”
The ICO has not been slow in flexing its new powers. Organisations that are household names have been heavily punished for failing to appropriately protect consumer data from cybercriminals.
But a significant increase in the number of GDPR penalties in 2019-2020 indicates that regulators are prepared to take a heavy-handed approach on companies of all sizes that fail to implement adequate security defences.
The Cost of A Data Breach
Firms deemed to be non-compliant with UK GDPR’s code of practice will also be subject to a penalty. The maximum fine for “less severe violations” is £8.7 million or 2% of annual global turnover.
Higher-level penalties incur fines of up to £17.5 million or 4% of annual global turnover.
Data breaches fall into the high-level category and are defined by the UK ICO as:
“A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data.”
Whilst a data breach could have serious consequences for businesses of all sizes, the punishment will not be as severe for firms that can demonstrate you have made an effort to install appropriate security measures and mitigate risks.
In most cases, a “proportionate” fine will be handed out if you are able to prove your policies and governance framework meet GDPR compliance.
However, a data breach is a three-pronged problem. Your business could suffer financial loss arising from the theft or loss of business data and/or contacts, a disruption to trading, or the actual theft of money.
In accordance with GDPR, businesses are obligated to inform their customers of a data breach. The theft of their personal details may result in a higher risk of phishing attacks and unsolicited emails.
Businesses that fail to protect consumer data are more likely to suffer damage to their reputation. A lack of business from consumers can also be compounded by suppliers, investors and partners pulling out of existing contracts.
It’s thought that 60% of companies that suffer a data breach go out of business within six months. The devastating impact is not always due to the financial loss incurred, or even the fine, but from the loss of confidence from their customers.
What does GDPR mean for your network?
Organisations are responsible for the data they hold and have a responsibility to protect the data of customers. That includes protected consumer data from hackers and internal leaks.
Firms that can demonstrate some level of technical security and have trained employees to identify and prevent cyberattacks should be able to escape a penalty for a data breach – or at the very least, ordered to pay a minimum fine.
Under Article 32, controllers have a responsibility to encrypt and preserve personal data as confidential, and must have the “ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident”.
Whilst SMEs generally have to abide by the same rules as larger companies, there are a couple of exceptions. Companies with fewer than 250 employees do not have to keep records of their processing activity.
However, it should be understood that does not mean you are not exempt from GDPR compliance. If you store customer data anywhere on your database, you have a responsibility to protect it.
Mitigating the Risks of Hefty GDPR Penalties
Whilst government regulations may sound disheartening to business owners, the reality, in our opinion, is that GDPR is less scary than it’s built up to be in the mainstream media.
Having said that, it is only less worrisome if you take preventative measures to keep out malicious actors. The smart move is to ensure you do everything within your power to comply with GDPR.
The ICO recommends starting with a 12-step process. There are also IT services you can invest in to sure up your defences.
Prepare a data protection impact assessment (DPIA)
Companies are obligated to assess the level of risk your data processing could pose to the data protection rights of your customers, investors, suppliers and partners.
Determine what personal data you hold
Establish whether you need to keep personal data on record and if you need to share it with a third party, how will it be collected and shared.
Honour right to be forgotten
EU citizens can request that you delete, amend or move their data. You should be able to perform such requests within a month.
Establish a lawful basis for processing data
Notify ICO of a data breach
In the event of a data breach, companies are obligated to notify your assigned data protection authority within 72-hours. Your DPIA must detail how you will do this.
Appoint a data protection officer
Every company that stores and manages personal data must appoint a data protection officer to monitor internal compliance, train staff, provide advice to the board and act as a contact point for anybody the company has the personal details for.
How Can Outsourced IT Support Help Prevent Data Breaches
Whilst there are a number of standard strategies built into software and hardware that helps to protect your business network, they have limited influence against the sophisticated technologies and strategies deployed by cybercriminals.
It’s worth bearing in mind that cybercrime tools were mostly developed by national secret service agencies. They are pretty sophisticated pieces of technology.
Cybercriminals can also get easy access to hacking tools by investing in Crimeware-as-a-service (CaaS). This gives people without much technical knowledge the capacity to earn a dishonest living online.
In addition to the standard anti-virus software and web application firewalls, businesses should look to improve cybersecurity defences by installing the following layers of protection.
Under the governance of GDPR, companies can be fined for losing personal data. Not to mention a data loss can seriously slow your business down for at least 7-10 days.
Cloud computing solutions enable companies to backup data almost instantaneously. Even if you have a power outage, the vast majority of your data will be saved and is easily accessed.
Having said that, it’s still a good idea to have multiple backup systems and perform back-ups over the weekend.
A virtual desktop is typically hosted in the cloud and provides users with a secure environment for producing, sharing, storing and managing data. They are particularly popular with high-risk industries that hold huge amounts of personal data on their network such as healthcare companies and financial institutions.
With data stored in a centralised system, your data has more protection than it would if was stored on a device or in-house server. Some solutions such as Microsoft Virtual Desktop also have built-in security controls including firewalls and virtual private networks.
Encryption is a crucial cybersecurity solution. The more layers of encrypted techniques you install, the more protection you provide for your customers. At the very least, you should have an SSL certificate, endpoint encryption and VPN.
Train your staff
The weak link in the majority of successful cyberattacks is humans. Cybersecurity statistics estimate around 90% of data breaches were due to an employee error.
When you consider that 92% of malware is embedded in attachments and delivered by email, it’s highly important that your employees know how to identify, prevent and report phishing scams.
In addition, your staff should be encouraged to use secure passphrases as passwords, forced to update them every month and not use the same password for more than one account.
Adding multi-factor authentication (MFA) to the login process will also heighten security at the user end. For companies that take deploy remote workers and BYOD policies, MFA is a must.
Software is released by tech companies can become outdated fairly quickly. Knowledgeable hackers can usually find a vulnerability in their code. This is why you have to perform so many updates on your smartphone.
Tech companies like Microsoft are not held accountable if their software is the gateway through which hackers wiggle through – at least not if they have provided customers with an update.
However, the ICO will issue a penalty to companies that fail to update their systems once a patch has been released. This poses a problem for businesses that use multiple applications, plugins and software.
If your employees have to update all the devices they use to connect to your business network every time a new patch is issued, their productivity is impacted. You also have to rely on every one of your workforces to update their devices.
The alternative is to assign updates to an IT member. But if you have hundreds of employees, many of whom are working in remote locations, managing updates is overwhelming.
Fortunately, patch management can be performed remotely – and in most cases automatically. This eliminates the burden on your employees and IT individuals. You can also run updates that will disrupt operations overnight so productivity is not impacted.
IT Support Service in London
The number of cyberattacks targeting work-from-home employees rose dramatically during enforced lockdowns. A report published earlier this year estimates two-thirds of companies in the UK and the US suffered a data breach since switching to remote working.
Unless you take serious steps to secure your business data, your IT network and personal data are at risk. And if the cybercriminals don’t put you out of business GDPR probably will.
Ignoring the threat of hackers is not a smart move. Our IT solutions team in London will ensure your defences are as tight as possible, vastly reduce the risk of a data breach and avoid the threat of knee-breaking GDPR penalties.