GDPR: Small business owners still ‘clueless’ about data protection rules, study claims

Owners and employees at risk of multi-million pound fine for breaking GDPR rules

Rob Knight
Wednesday 12 December 2018 12:53 GMT
Comments
The study found almost 45 per cent of businesses do not have insurance in place to protect them against a data breach
The study found almost 45 per cent of businesses do not have insurance in place to protect them against a data breach (Rex Features)

Your support helps us to tell the story

From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.

At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.

The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.

Your support makes all the difference.

Small business owners polled for a new survey have admitted they are still “clueless” about GDPR - leaving the personal data of millions of employees and customers at risk.

Half of the 1,000 questioned were confused by the rules when it came to data protection and privacy regulations.

As a result, owners and employees alike have made mistakes or have procedures in place which could have resulted in a multi-million pound fine for the business.

More than a quarter of those polled allowed staff to use their own computers, tablets and phones for work purposes which contravene rules as personal data could be stored unencrypted at home.

And one in 10 revealed they have visitor books in their HQ - where visitors can freely see details of others who have been there previously.

Paper diaries were used by 26 per cent of the businesses polled – which could contain private information or customer details and be easily misplaced, while 10 per cent said the circulation of printed out sponsorship forms – which often contain names and addresses – was common at their place of work, which is another contravention of GDPR rules.

“As the results show, many businesses could be in breach of GDPR – most likely without even realising it," said Chris Mallett, a cybersecurity specialist at Aon which commissioned the research. “Visitors books, allowing staff to use their own mobiles for work purposes and even seemingly minor things like distributing sponsorship forms around the office carry risk.

“Yet these sorts of things are commonplace among businesses big and small across the UK.”

The research also found a quarter had used training materials which featured the full details of real-life case studies. Sixteen per cent had used promotional images which included members of staff wearing their nametags – making them publicly identifiable.

BA data breach: 'Name, email, address and credit card information' stolen, says CEO

More than half also revealed they did not dispose of paper customer records securely and confidentially and it was a similar story for staff records (71 per cent), visitor books (86 per cent) and minutes from meetings (78 per cent).

Four in 10 did not know the loss of paperwork could be a data breach, while 36 per cent were not aware personal data posted, emailed or faxed to the wrong person could be a breach too.

Six in 10 had no idea the Information Commissioner’s Office (ICO) have to be notified of data breaches where individuals’ rights are affected and around half did not know all those affected must be told as well.

Currently, almost 45 per cent of businesses have no insurance whatsoever in place to protect them against cyber or data risks.

Mr Mallett added: “Such a significant proportion of businesses not having cyber insurance is a major worry. From talking to our customers we know that many simply can’t guarantee they’re able to successfully defend against a cyberattack and that’s not necessarily their fault - even major corporations are vulnerable.

“How a breach is dealt with by a business is vital, though, and if it’s not done in accordance with GDPR that business could receive a significant fine as well as damaging relationships with customers and losing out on revenue.”

SWNS

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

Comments

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in