Do you understand what is required of you when it comes to holding and using personal data? Do you know what happens if you breach those requirements?
To help you understand the importance of protecting data, and why it matters, Chris Burn, data protection specialist at CSRB has kindly written a guest blog for us:
Personal data protection management can be seen as a rather dry subject.
That means it can often be consigned to a place in an organisation’s planning, marked ‘for future consideration’. As personal data protection is critical to the trust and confidence which customers have in a business it can be a major influence on your reputation amongst suppliers, clients, and prospects. It is also an area, which can be dominated by hearsay, misconceptions, and myths about what is and what is not the responsibility of the organisation when processing personal data.
Misunderstandings in the world of UK GDPR
One of the mistaken beliefs about the GDPR other UK privacy regulations is that it is a topic to be fearful of, where enforcement is often perceived as an iron fist. The protection of individuals’ personal data in the UK is regulated by the Information Commissioner’s Office (ICO), and they have a clear principal aim which is ‘to help you comply with the law and promote good practice by offering advice and guidance.’
Often it is ICO fines and penalties imposed on organisations that may grab the headlines, but John Edwards the UK Information Commissioner says: “Getting better outcomes, and sharing those stories with the wider economy, can have a much greater effect on the lives and rights of the people of the UK than a fine might. There is very little evidence that fines on their own produce better outcomes for the people we are protecting.”
Another misconception is that this is a problem for big business only, and that sole traders, micro businesses, and Small Medium Enterprises (SMEs) are not encountering any risk through the processing of personal data or that UK GDPR does not apply to them. However, that is not the case.
Commercial insurers Hiscox reminds their customers that: “GDPR is relevant for small businesses that handle any personal data – from anyone. This includes staff, customers, and clients. If you take, process, or store any personal data or identifying information, you need to comply with GDPR regulations and rules.”
Over 40% of SME’s have had a significant personal data breach. Each data breach or incident has unique characteristics, which is one of the main reasons why engaging with a specialist, qualified data protection advisor is important. How data is stored, the policies and procedures that control its use within the business and the level of knowledge and understanding that the staff involved with the processing of personal data have all combine to produce a set of circumstances that allow for the accidental, or deliberate release of data. As we mentioned above, while the ICO looks to advise rather than penalise, it does have the power to impose fines of up to 4% of a business’s total annual turnover, although the ICO say that: “Any penalty that we issue is intended to be effective, proportionate and dissuasive, and will be decided on a case-by-case basis.”
A study by the Data & Marketing Association (DMA) found that only 10% of SMEs in the UK are fully compliant with the UK GDPR, while 25% are only in the initial stages of understanding the benefits of comprehensive information governance and compliance. “There is a concern about knowledge gaps and UK GDPR training made available in micro businesses and SMEs” regarding the UK GDPR, comments Tim Bond, Head of Insight, at the DMA.
Barriers for small business owners
Having conducted extensive research asking business owners what their concerns and worries are regarding compliance with personal data, online security, and the UK GDPR and Data Protection Act (2018), we found there is a clear barrier to firms implementing best practices.
The feedback from smaller businesses indicated that they felt becoming UK GDPR compliant would be a heavy investment in time and money and that it would divert resources away from their core business and deliver very little return-on-investment.
Reviewing some of the misconceptions about personal data protection above, we can see that the financial and reputational damage which a personal data breach can cause makes it a core issue for businesses of all sizes. What is often overlooked is the time taken to respond to a personal data breach. This can take key stakeholders away from core business activities and have a clear commercial impact. What is needed is a way to make advice and support more accessible to micro and SME businesses, and sole traders. Most businesses lack the skills, or time to fully understand the issues and look to work with a trusted partner who will support them in being proactive about personal data protection and thus avoiding future problems. Thankfully, there are options!
CSRB are certified personal data protection specialists. We have a simple mission. To be clear and open about personal data protection. What you need, why you need it, and what you are legally required to do. We will help you manage and protect that data responsibly, and we are refreshingly jargon-free, whilst demonstrating how fulfilling your UK GDPR accountabilities and responsibilities can lead to enhanced business growth, client retention, and employee retention.
CSRB has developed a UK GDPR Support Package, in collaboration with The South West Cyber Resilience Centre (SWCRC), which has been specifically designed to meet the needs of businesses who want to do the right thing, who understand that managing risk is vital to their core business values, but they lack the in-depth knowledge of UK privacy legislation to understand what they need to implement and how they go about implementation.
The CSRB package of support is delivered over 12 months and starts with a one-hour advice and Q&A session, so the package can be tailored to that organisation. CSRB sets out a roadmap of the journey towards UK GDPR compliance and future information governance certifications. The package goes on to deliver data protection officer support, UK GDPR training on important areas such as personal data breaches, and a package of support from SWCRC centred around online security and cyber security. We have removed the financial and time required burdens, and CSRB takes care of everything for you for less than the cost of a decent cup of coffee per day, and no more than 30 minutes time investment by the business owner each month!
CSRB in partnership
CSRB has always been a business that wants to give back. We are approved ‘collaborators’ of the Southwest Cyber Resilience Centre (SWCRC), who are a police-led team that look after small businesses and charities who need additional resources and knowledge to reduce cyber risks within their businesses. Free membership of the SWCRC is a benefit of our UK GDPR support package.
As a Cyber Essentials accredited business CSRB ‘walk the walk’ to demonstrate that we implement the highest standards of security practices, and collaborating with the SWCRC is a key source of support, we can both provide to micro businesses, SMEs, and sole traders.
Our trusted partnership with WCL also echoes our reliance on integrity, professionalism, and transparency. WCL are not just a trusted partner, they are our accountancy and legal advisors. We are delighted to work alongside a business as committed to business growth, compliance, and risk management as we are.
Safeguarding personal data sends a clear message to your customers, as does having an accredited accountancy and legal partner. We support WCL with certified data protection advice to their clients when we are asked to do so.
CSRB would be delighted to engage with you for a free no obligation advice session online to start your journey to UK GDPR compliance and beyond. Please get in touch with us here or call 0117 325 0830 to learn more about how our certified data protection services and UK GDPR support package can support your organisation. CSRB – The Missing Piece of your GDPR Puzzle