You’re not a control freak but like to be in control of your enterprise. Understandably; your business is your source of income and your pride and joy. But part of being in control is compliance with data protection laws. Like it or not, you are regulated by the EU General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018 (DPA 2018).
Many small to medium-size businesses (SMBs) may be fooled into thinking that data protection regulations only apply to corporate giants that process and store massive amounts of data. Speaking of which, Google recently received a gigantic $5 billion fine for breaking EU antitrust laws. But the GDPR doesn’t discriminate. SMBs are as susceptible to data breach fines and penalties as the big guys like Facebook are.
The fact is that data protection laws are concerned with the content of your business data and not the volume. Personal data, by GDPR definition, includes but is not limited to names, email addresses, phone numbers and online identifiers such as IP addresses. Any form of personal data that your company accesses, processes and stores is protected by the GDPR.
You need to obtain explicit consent for use of the data, ensure that it is not vulnerable to hacking by cybercriminals and give your clients and employees the right to be forgotten or the right to erasure. You also need to report any data breaches in a timely manner, usually within 72 hours. The good news is that you only need to report a breach to the ICO in the UK if it poses a risk to people’s rights and freedoms. Deciding whether it is or not is a challenge in itself.
You can see from Google’s experience, GDPR non-compliance is not an option, especially for SMBs on a scant budget. At their discretion, the GDPR has two tiers of fines that can be imposed for non-compliance:
- up to €10 million or 2% of annual global turnover, whichever is greater
- up to €20 million or 4% of annual global turnover, whichever is greater
If your SMB infringes your data protection obligations, including data security breaches, you will be subject to a lower-tier fine. When any individuals’ privacy rights are infringed, you are automatically looking at the higher level penalty.
Besides paying up for your non-compliance, the ICO can also demand liability for damages. The GDPR provides individuals, who have been subject to a data compromise, the right to compensation of any material and/or non-material damages resulting from a data protection infringement. In the case of large-scale infringements, this potentially opens the door for mass claims costing the earth.
So where to begin with your GDPR compliance? As a CEO, CFO or CIO, you’re always busy. Your IT guys are busy with maintenance and troubleshooting. You can’t afford to hire a GDPR expert to guarantee your data protection compliance. The solution? Outsource to your local IT managed service provider (MSP) and lay thoughts of non-compliance to rest.
Your MSP will have the experience and know-how to ensure that your IT infrastructure is secure and not vulnerable to hacking and consequential data breach. Based on a comprehensive risk assessment of your network, they will identify potential weak spots and remedy these. Also, your systems will have 24/7 remote monitoring so downtime will be a thing of the past. Would you like some more good news? MSPs are affordable; a fraction of what you would pay if you broke the rules. Stay in control, remain compliant, and partner with an MSP today.
