With GDPR now in full effect, a huge number of UK businesses – large and small – are still leaving themselves open to data theft. For those companies that do fall victim to targeted attacks seeking valuable data, this could have very real financial repercussions under the GDPR framework.

New figures have shown that millions of UK businesses are currently using data storage methods that are not fit for purpose. To find out how your business could fall prey to GDPR, and how to avoid penalties, read on.

The Facts

The survey – conducted by Beaming – revealed that 4 million UK businesses are extremely vulnerable to data theft. The figures show that nearly 1 million UK businesses do not back up their data at all.

A further 2.8 million businesses do back up their data but keep these copies in the same storage space as the original data, simply providing another avenue for a determined hacker to access. It was found that 44 percent of small businesses do this, and so too do 42 percent of medium-sized concerns. Worst of all, 17 percent admitted to not backing up data at all and leaving it on in-office computers and employee devices.

Compliance

With these shocking figures in mind – and the attendant potential fines – here’s what you need to do ensure compliance for your business.

You need to ask yourself why you need the data you hold. Under GDPR, these reasons are known as a ‘lawful basis’. There are six categories why an organisation or business may need to retain, and process data and they are: contract, legal, consent, vital interests, obligation, legitimate interests and public task. You need to know which categories apply to you and why you need to retain this data.

Next, you need to know how to deal with individual rights requests. These are the legitimate and legal rights every person has. You need to be able to explain why you have their data and, if they ask, you need to be prepared to delete it from your records. It’s compliance issues like this that make it important to establish if you need a Data Protection Officer in your business. This person will be responsible for overseeing and monitoring your GDPR compliance.

Importantly, you need to be clear and able to explain how you store data. We’ve seen some of the horror stories above, and you need to be clear and consistent in how data is stored at rest, in use and when transmitted to another party.

Finally, you need to prepare for the worst-case scenario of a data breach. Who will report it? Who needs to be notified? You need to be fully aware of what to do if a breach occurs.

If you can work through this list and give clear, well-planned answers, then you are in a good place with regards to GDPR. 

Y 

The GDPR (General Data Protection Regulation) is coming into effect  on the 25^th of May and all manner of businesses are trying to work out what it means for them. From nurseries to online retailers, businesses are working hard to ensure they are compliant.

Once GDPR comes into force, it will be the most wide-ranging data privacy law on the planet, and it will affect how organisations big and small store, collect and handle data.

So, let’s take a look at how GDPR will impact e-commerce.

More Rights

When GDPR comes into full effect, European citizens will have many more rights when it comes to their personal data. They will have the right to correct, restrict, access and delete any data that a company may hold on them.

If you’re using data for advertising and marketing purposes, then users must specifically give their consent for this. Any business must list all and any third parties that may have access to a customer’s data. For big data and targeted marketing, this could mean huge changes in how things are done.

Alongside this comes the ‘right to be forgotten’. This translates to giving customers the enshrined right to delete any information a company may hold on them, in full and with no exceptions. And this process must be easy to do and clearly defined.

New Responsibilities

For those retailing via e-commerce, all of this means new responsibilities to customers and putting their data policies in line with GDPR.

In the case of a data breach, for example, online retailers need to have procedures in place and ready to do. They must report the breach to the ICO (Information Commissioner’s Office) and any affected customers within 3 days. For smaller concerns this may be a huge undertaking, so it is vitally important to be prepared ahead of time.

Large fines are also part of GDPR, levied against businesses that don’t store their data securely or misuse it. 4% of annual revenue is one punishment for failure to comply, which is a huge amount for small and big concerns.

Large e-commerce platforms like Shopify are already hard at work ensuring they are compliant, but individual merchants are still responsible for collection and safe storage of customers’ data.

For those worried about the new law, and wondering if they are compliant, the ICO has put together an online resource on how to comply and get a handle on this new era of data protection.