In recent times, it has become public knowledge of the increasing data protection and privacy claims made on businesses of all sizes. A situation that is due in part to an increase in both regulation and consumer awareness on how businesses should handle and process data. To complicate things further, the additional requirements of the General Data Protection Regulation (“GDPR”) has also increased the risk of claims.
While flow of personal data across national boundaries has facilitated commercial prospects of businesses, it has at the same time raised concerns of privacy of personal data. A lack of standard laws relating to data privacy has made it difficult for businesses to ensure that they are not in breach of any law across jurisdictions. An advantage that smaller businesses have in this regard is that they are more compact than larger organisations and their processes are more agile. Small businesses are therefore in a better position to ensure compliance in comparison to large organisations who are grappling with the GDPR requirements.
A recent study about privacy claims made on businesses, suggested that 61% of data breaches affect organizations with fewer than 1,000 employees. To get an insight as to why SMEs are increasingly affected by data protection related claims, it is important to understand what their obligations are.
Thus, it is because of such data protection legislation that claims for misuse of information and breach of confidence are often made. In such a case, a claimant must show that the information disclosed to a third party without consent is private or confidential in nature. In fact, the claimants do not need to show that there was any financial loss and are able to claim damages for the breach and for any distress and anxiety experienced.
Unlike large corporations who have who have comprehensive policies and procedures in place and are quite conversant with their privacy obligations, SMEs by their very nature, often do not have this luxury to benefit from. Some SMEs may not even be aware that they are data controllers or be aware of their requirements to register with the regulators or comply with data privacy regulations. Nonetheless, SMEs usually retain a substantial amount of personal data and/or sensitive personal data.
SME owners and directors can also be held personally liable in relation to these claims, in certain instances. Business owners are often expected to be aware of the need to ensure the company complies with its data obligations. Any failure by the SME’s management to ensure a business has adequate procedures in place and that it has complied with relevant regulations could result in a claim by the business entity or other shareholders against the managment.
Compliance with data protection laws is a challenge for organisations of any size. But small to medium-sized enterprises (SMEs) have to tackle compliance with limited budgets and a small IT team.
The following are the main regulations that businesses need to consider.
Data Protection Act
The Data Protection Act (DPA) is the starting point for all UK data protection rules. In fact, it is the DPA that makes the EU’s GDPR part of UK law. As such, the DPA was updated in 2018 when the GDPR came into force. It is a common misconception that smaller companies are exempt from the Data Protection Act. They are not. But any organisation that stores or processes personal data needs to deal with the DPA, whether that data is stored locally on a simple server or hard drive, in a cloud service, or on an employee’s laptop.
General Data Protection Regulation
The GDPR brings the EU’s rules for data protection and compliance up to date. The regulation works as a set of principles and does not tell organisations how to be compliant at a technical level. It is down to SMEs to find technical solutions, and to demonstrate that they are keeping with GDPR principles and obligations.
Furthermore, the GDPR introduces some significant new rights for consumers, including the right to be forgotten, and some specific requirements for businesses, such as compulsory breach disclosure and, of course, much higher fines (up to 4% of global turnover). Research by IDC has found that the right to data portability set out in the GDPR has caused the most pain for SMEs.
Keeping personal data records on unencrypted media, even if kept under lock and key, or keeping it in the clear in the cloud, will not satisfy the regulators. Ensuring data is encrypted in transit and at rest and that only specified and trained staff can handle the files will show that a firm has tried to keep up with the law.
The PCI-DSS standard covers all organisations that handle payment card transactions. Banks will suspend card payments for companies that fail to follow the standards. And if a business suffers a data breach, it must be able to show it has followed the PCI standard for payment information.
PCI-DSS is far more specific than principle-based regulations, such as the GDPR. As such, it is a good starting point for smaller businesses looking to improve their data storage compliance.
Other industry specific regulations include HIPAA, Privacy and Electronic Communications Regulations, and SMEs in specific industries will need to comply with additional regulations. For healthcare organisations, the US-based HIPAA (Health Insurance Portability and Accountability Act) is a good proxy for the safe handling of patient or customer data, although it is not a substitute for following the DPA and other UK laws.
The Privacy and Electronic Communications Regulations (PECR) may be less focused on data storage but cover issues such as the use of data for marketing, securing communications services, and holding billing and location information for communications.
Additionally, firms will also need to address any regulations imposed on them by customers and, more rarely, suppliers. These can range from rules around the handling of classified government data, to protecting commercially confidential information. Businesses such as financial advisers, law firms and PR consultants need to be mindful of confidential data and ensure that files are stored – and shared – securely.
A further challenge for small organisations is that laws and regulations are not static. Businesses also need to plan for legal research or regulatory investigations.
The following are some steps towards and remaining compliant
- Data encryption and confidentiality – Businesses should have technology to ensure personal data collected is stored in encrypted form and also have internal mechanisms to guard against misuse by unauthorized access.
- Data minimization – purging the unnecessary data which is not required.
- Internal policies – businesses should ensure that all internal and external data collection/ data processing/ data retention policies are updated. Training sessions should be conducted to create awareness amongst the employees in relation to GDPR.
- Data processing agreements – businesses are required to have stipulated data protection obligations with third party processors.
- Consent to be user friendly – businesses need to ensure that consent forms for collection of data from the users should be in simple language so that consent can be provided by the users by a clear affirmative action and should signify agreement to the processing of personal data relating to the user.
- Demonstrating compliance – businesses are required to document all procedures and practices dealing with personal information of data subjects to prove compliance under the GDPR.
The financial consequences of a breach can be significant, and notification / remedying of breaches is both expensive and time-consuming. Aside from the financial ramifications, the risk of professional and reputational damage should not be underestimated, with data protection breaches increasingly at the forefront of the public and media conscience.
As duties on how businesses process data become more onerous, it is vital that SMEs and UAs are aware of their obligations and have adequate procedures in place. Insurers should insist that prospective insureds have robust policies and procedures to ensure that data is dealt with correctly and that the entity is registered with the ICO if appropriate.