SMEs braced for sweeping data protection overhaul

Businesses have less than a year to prepare for sweeping changes to the UK’s data protection rules. NIG’s Director of Underwriting and Pricing Justin Clarke re-explores the General Data Protection Regulation to see what it involves, and how companies can get ready for it.

In an increasingly digital age, data protection remains an important issue for businesses as diverse as retailers, technology firms and providers of professional services.Next May, a host of new rules will come into force, as the European General Data Protection Regulation (GDPR) replaces the current Data Protection Act.

With a significant shake-up on the cards, what key changes must small and medium-sized enterprises (SMEs) prepare for between now and 2018?

The GDPR in a nutshell

The new legislation is designed to protect European citizens from data and privacy breaches in an era when smartphones, apps and social media have made it easier than ever to share information.

The GDPR puts forward a series of rules which those controlling or processing personal data will need to comply with. It covers a wide range of areas, including consent, governance and the process of reporting data breaches. It also provides individuals with new rights regarding the use of their personal data. Companies who fail to respond could face penalties worth up to 20 million euro (£17.6 million) or 4% of their annual worldwide turnover [SC1].

Although developed by the European Parliament and applicable across the European Union (EU), the UK Government has indicated that Brexit will not halt the introduction of the GDPR in this country. It will cover organisations operating within the EU, as well as those outside the trading bloc who offer goods and services to EU citizens.

What’s changing?

In-depth guidance concerning the GDPR is available from the Information Commissioner’s Office (ICO)

For SMEs, the key measures to consider include:

  • The need to secure clear consent. In order for a company to hold an individual’s data, consent will have to be given freely and with a full understanding of what it involves. A person will need to actively give their consent, making things like pre-ticked boxes on application forms redundant. It must also be made easy for people to withdraw their consent.
  • New rights for individuals. People will be handed greater rights over the use of their personal data – including the right to be informed, the right of access, the right to rectification, the right to restrict processing, the right to data portability, the right to object, and rights related to automated decision-making and profiling. In particular, companies should be aware of the right to erasure – which allows people to request the removal of their data when there’s no compelling reason to keep hold of it.
  • Greater transparency over data breaches. A company suffering a harmful data breach will now need to inform their relevant supervisory authority within 72 hours of becoming aware of it. A breach could include the loss or destruction of data, or unauthorised access.
  • The potential need for a data protection officer (DPO). Under the new rules, public authorities, firms carrying out large-scale processing of special categories of data, and businesses conducting large-scale systematic monitoring of individuals will be required to appoint a DPO.

Getting ready for the GDPR

It’s true that the GDPR legislation will impact some firms more than others. However, as well as reading up on the ICO’s guidance, all SMEs should consider the following measures to avoid any nasty surprises next May:

  • Audit your existing data. Organise the data you hold on people in a clear and accurate manner, so individual files can be accessed quickly.
  • Review how consent is obtained. With the rules around consent set to tighten, do your application forms need an overhaul?
  • Understand people’s rights. Individuals will soon be able to request access to their personal data – and its deletion – more easily. Ensure your systems are able to cope with these new demands.
  • Decide whether a DPO is needed. If you’re likely to require a DPO under the new rules, start the recruitment process early to avoid unnecessary delays.
  • Improve your ability to detect data breaches. Would you be able to spot a breach and flag it up to the authorities within the new 72-hour deadline? Now’s the time to find out.

At a time of significant regulatory change, it’s also an idea to look over your insurance policies to check you’re covered against any disruptions or financial risks.

For bespoke cyber insurance SMEs should look no further than NIG’s regionally-traded Cyber Cover product, which was given a 4/5* rating by an independent broker reviewer in Insurance Age during 2016 [SC2].

NIG Cyber Cover offers data-breach expense cover as standard that can help cover the cost of professional, legal, forensic IT, PR and crisis management services following a breach event.

The comprehensive cover that our product offers also includes our 24/7 support, which can go a long way to safeguarding the future of your business should you ever be the victim of a data breach.

Here’s what our Cyber policy also covers: 

  • Cybercrime – financial loss from hacking, fraudulent input or alteration of data
  • Cyber liability – damages and defence costs attributed to a data breach
  • Third party data storage – data held at a third party storage provider
  • Loss of business income following a cyber-event (Optional)
  • Damage, loss, corruption and breakdown of hardware (Optional)
  • Data corruption and extra costs (Optional)

You can find more information about NIG’s Cyber Cover product, including Key Facts, Sales Aid, Proposal Form and Policy Wording, on our website here