With GDPR now in full effect, a huge number of UK businesses – large and small – are still leaving themselves open to data theft. For those companies that do fall victim to targeted attacks seeking valuable data, this could have very real financial repercussions under the GDPR framework.

New figures have shown that millions of UK businesses are currently using data storage methods that are not fit for purpose. To find out how your business could fall prey to GDPR, and how to avoid penalties, read on.

The Facts

The survey – conducted by Beaming – revealed that 4 million UK businesses are extremely vulnerable to data theft. The figures show that nearly 1 million UK businesses do not back up their data at all.

A further 2.8 million businesses do back up their data but keep these copies in the same storage space as the original data, simply providing another avenue for a determined hacker to access. It was found that 44 percent of small businesses do this, and so too do 42 percent of medium-sized concerns. Worst of all, 17 percent admitted to not backing up data at all and leaving it on in-office computers and employee devices.

Compliance

With these shocking figures in mind – and the attendant potential fines – here’s what you need to do ensure compliance for your business.

You need to ask yourself why you need the data you hold. Under GDPR, these reasons are known as a ‘lawful basis’. There are six categories why an organisation or business may need to retain, and process data and they are: contract, legal, consent, vital interests, obligation, legitimate interests and public task. You need to know which categories apply to you and why you need to retain this data.

Next, you need to know how to deal with individual rights requests. These are the legitimate and legal rights every person has. You need to be able to explain why you have their data and, if they ask, you need to be prepared to delete it from your records. It’s compliance issues like this that make it important to establish if you need a Data Protection Officer in your business. This person will be responsible for overseeing and monitoring your GDPR compliance.

Importantly, you need to be clear and able to explain how you store data. We’ve seen some of the horror stories above, and you need to be clear and consistent in how data is stored at rest, in use and when transmitted to another party.

Finally, you need to prepare for the worst-case scenario of a data breach. Who will report it? Who needs to be notified? You need to be fully aware of what to do if a breach occurs.

If you can work through this list and give clear, well-planned answers, then you are in a good place with regards to GDPR. 

Y 

The GDPR (General Data Protection Regulation) is coming into effect  on the 25^th of May and all manner of businesses are trying to work out what it means for them. From nurseries to online retailers, businesses are working hard to ensure they are compliant.

Once GDPR comes into force, it will be the most wide-ranging data privacy law on the planet, and it will affect how organisations big and small store, collect and handle data.

So, let’s take a look at how GDPR will impact e-commerce.

More Rights

When GDPR comes into full effect, European citizens will have many more rights when it comes to their personal data. They will have the right to correct, restrict, access and delete any data that a company may hold on them.

If you’re using data for advertising and marketing purposes, then users must specifically give their consent for this. Any business must list all and any third parties that may have access to a customer’s data. For big data and targeted marketing, this could mean huge changes in how things are done.

Alongside this comes the ‘right to be forgotten’. This translates to giving customers the enshrined right to delete any information a company may hold on them, in full and with no exceptions. And this process must be easy to do and clearly defined.

New Responsibilities

For those retailing via e-commerce, all of this means new responsibilities to customers and putting their data policies in line with GDPR.

In the case of a data breach, for example, online retailers need to have procedures in place and ready to do. They must report the breach to the ICO (Information Commissioner’s Office) and any affected customers within 3 days. For smaller concerns this may be a huge undertaking, so it is vitally important to be prepared ahead of time.

Large fines are also part of GDPR, levied against businesses that don’t store their data securely or misuse it. 4% of annual revenue is one punishment for failure to comply, which is a huge amount for small and big concerns.

Large e-commerce platforms like Shopify are already hard at work ensuring they are compliant, but individual merchants are still responsible for collection and safe storage of customers’ data.

For those worried about the new law, and wondering if they are compliant, the ICO has put together an online resource on how to comply and get a handle on this new era of data protection.

The threat of cyberattacks is, as we all know, always lurking on the horizon, much in the same way as GDPR is, which is being implemented on the 25^th May.

Despite the fact that fears are rising and attacks are becoming more frequent, it seems that manufacturing plants across the UK simply aren’t doing enough to protect themselves from the dangers of cyber-related incidents. More than 80 plants in the UK have fallen victim to such incidents, mainly due to the fact that they lack the visibility and tools needed to carry out the appropriate cyber assessments.

Are UK manufacturers in the midst of an uphill struggle unlikely to go away when it comes to cybersecurity and GDPR?

What GDPR will do

When it comes into effect on May 25^th, GDPR will mean that any organisation failing to carry out the appropriate assessments and actions to prevent cyber-attacks could incur fines from the ICO. Astonishingly, these fines could be as high as four percent of a firm’s annual turnover. Surely that news alone is enough to encourage manufacturing companies to sit up and listen…

Where do manufacturers stand with GDPR?

One of the biggest issues regarding GDPR and the manufacturing industry in a lack of understanding regarding its effects. According to a survey conducted by EEF, 16% of manufacturers claim to know little about GDPR or how it will impact on their business and 34% are failing to educate their staff about GDPR.

Once implemented, GDPR will affect the manufacturing industry in the following ways:

  Data processing – businesses will be required to secure all personal data including contact details and bank account information.

• The right for data to be deleted – Any data that you have about an individual can be requested to be deleted or reviewed by the person concerned.
• Consent – When businesses go about collecting any type of personal information consent will need to be obtained. 

In order to overcome the threats of GDPR, manufacturers could take a KPI approach to their cybersecurity, setting goals and metrics that will improve security.

Cyber-crime is not something that is likely to happen, it is something that is guaranteed to happen, again and again, unless businesses take the appropriate steps to prevent it.