GDPR: What’s the outlook for SMEs one month on?
A month on and the GDPR countdown seems like a distant memory. And although the world didn’t end as some feared it might, a lot has happened since the regulation was introduced.
Data security has been a mainstay in the headlines and some companies are in the firing line already for potential breaches of the new legislation.
Data privacy stories
On day one, complaints about Facebook and Google were already being filed with the ICO. Facebook’s shady consent gathering attempts had resulted in many raised eyebrows before 25 May arrived, but the official complaints directed at the two corporations could have serious consequences – potentially resulting in fines of more than £3bn for each company.
In an interesting turn of events, Twitter’s interpretation of the data protection legislation led to the social media giant suspending the accounts of previously underage users, who had set up their accounts before reaching the required age of 13. Google was in the headlines again, as the launch of its new video doorbell – with facial recognition capability – led to questions surrounding privacy and biometric data. And elsewhere, the ICO confirmed that an investigation into a potential breach of recruitment software firm PageUp is under way – possibly affecting two million users across 190 countries.
Then more recently, Dixons Carphone owned up to a huge data breach that occurred almost a year ago. A hacking attempt on its systems reportedly started in July 2017, with cyber-attackers gaining access to the credit and debit card details of 5.8 million customers. Luckily, most of these were chip-and-pin protected – although over 100,000 were not – and no evidence of fraudulent activity was found in the retailer’s investigation into the breach.
However, many questions are being directed at Dixons Carphone now – mainly about why they have only just reported an attack that happened such a long time ago and whether it’s connected in any way to the 2015 Carphone Warehouse breach. According to the retailer, the hack was only detected in the past few weeks and bears no link to the previous attack, but there’s an air of suspicion surrounding these latest revelations. Fortunately for the company, the timing of the breach means that it won’t be hit by the GDPR’s strict penalties, but there will be a great deal of scrutiny from the ICO regarding its future activities.
Others have had a similarly lucky escape from the larger GDPR fines, thanks to the timing of their data breaches.
This month, Gloucestershire Police were fined £80,000, when it was revealed that the identities of child abuse victims had accidentally been disclosed in a 2016 email, in a failed attempt to use the bcc (blind carbon copy) function. The British and Foreign Bible Society faced penalties of £100,000 following a 2016 cyber-attack, whilst BT was fined £77,000 for sending nuisance emails prior to the regulation coming into effect.
Assessing the outlook for SMEs
The first companies to be facing potential GDPR penalties – as well as those whose past breaches have hit the headlines since its introduction – may mostly be large corporations, but there are still valuable lessons to be learnt by SMEs.
Most importantly, small business owners should be ensuring that they keep up with the data protection efforts they have implemented so far. There’s no such thing as reaching a state of GDPR compliance – it’s a continuous slog, but definitely a worthwhile one.
Promisingly, the ICO has made it clear lately that the purpose of the new regulation isn’t to trip SMEs up, but rather to ensure that bigger companies are taking their responsibilities seriously when it comes to protecting the data they hold. But having said that, there has still been confusion surrounding the laws amongst smaller businesses, not to mention significant obstacles to overcome where such issues as compliant email marketing are concerned.
Looking further ahead to the future, the ePrivacy regulation is the next one set to make its mark on the modern business environment – although it’s not expected to be introduced for a while yet. And whilst it’s unlikely to cause quite the level of furore that the GDPR created across the business world, it is still bound to have a significant impact on the way that companies use digital data.
As for the ongoing GDPR saga, we’ll just have to wait and see how the next chapter unfolds!
Need some advice about GDPR or data security? You’re in the right place! Give us a buzz to talk to one of our resident IT experts about your requirements.