Brigantia Partner’s commercial director Iain Shaw, discusses why it’s important to allocate a budget for GDPR best practises and recognise the benefit of ongoing staff training.
In this month’s print issue of PCR, I especially enjoyed Laura Barnes’ piece called “The Data Game”. This article examining the perceptions of GDPR and the ICO’s actions hit something of a chord with me. Never having been all that shy, I would like to add my voice to this discussion.
The article said that 52% of UK businesses are not fully compliant: I suspect that this number is somewhat on the low side. One of the first things that a company should do to be compliant is to register with the ICO. According to the ICO, there are “over 500,000 data controllers registered”. Given that some of these will be organisations such as public authorities, charities, etc. let’s take a stab in the dark and say that there are half a million businesses registered. There are roughly five and a half million businesses in the UK so that means that around one in eleven businesses have registered so far: about 9%.
This feels a lot closer to the actual percentage of businesses which are taking compliance seriously in my experience. Most small businesses are busy trying to get by, just doing what they do best, be it selling tyres, washing windows or manufacturing ready meals. For the most part they do not understand GDPR, have next to no budget for it and have very little by way of time to look at it closely. This is not the right way to do things in this age; however, this is where most small businesses find themselves.
An observation made by Tony Pepper of Egress was that only a small percentage of businesses have acted to protect themselves against the threats that that this new legislation brings. He mentioned that the high-profile prosecutions did not seem to be frightening most businesses. This really should not be a surprise given that the news is telling them that a few multinational, billion-pound businesses are getting the sharp end of the law, then most businesses will feel that they are more likely to win the lottery than be on the receiving end of a hostile, fine-wielding ICO. This disconnect is very understandable as the impression given is that the ICO goes after big businesses and not the smaller 99% that they fall into.
If the ICO was publicly tackling SMEs and levelling fines and actions at them in a proactive way rather than just when complaints are made, then most businesses would be clambering to put their houses in order. For example, if the ICO took it upon itself to go after the businesses that had failed to register then that would focus everyone’s attention! It would be quite a money-spinner for the ICO too: average non-registration fine is £400 plus the average tier 1 / tier 2 fee of £50, times that by 5M businesses and you get two and a quarter billion pounds. Not bad for a morning’s work!
However, all the above matters aside, an SME probably needs a system to make this work. The choices are as follows:
- If the company has anyone capable of understanding the Data Protection Act 2018 and then translating that into how to prepare a business to comply with it, then train that person up and hope that they don’t just leave for better paid Information Governance work elsewhere
- Read a couple of online guides and try to hash something together without any real understanding of what it’s about
- Hire new people for the job
- Pay a consultant for a one-off exercise and count that as a “box ticked”
- Implement a system for the purpose, such as GDPR365
The reality for most SMEs is that if they want to do this properly, i.e. embrace the privacy by default and by design ethos, then option “5” is the only real alternative. Once a company has such an information security management system as GDPR365 in place then not only is the threat of being fined and sued greatly reduced, it adds so many metrics for a business that efficiency should also improve through greater control.
One other thing to remember in this the value of ongoing training. If your staff are not trained about the threats that they will encounter, then how can you expect them to not land your company in trouble? The most common pitfall that I have seen with this is that the most senior people in a company think that they do not need training: needless to say, this is complete folly as how could they know any more than anyone else without being trained? There are two ways to get trained: the cheap way where you buy suitable training such as a KnowBe4 managed service, or the expensive way where you just wait until you or your untrained staff fall for whatever cyber-con is the flavour of the week and suffer a massive, debilitating data breach of one sort or another.
I would just like to close with a sobering thought for most businesses: The threat landscape has changed a lot over the recent years and continues to do so. Your trusty old antivirus program is far from capable of protecting you from what is out there now so unless you deal with these issues, you will be hit rather hard sooner or later. Allocate a budget, get some advice and safeguard your business.
To find out more about how to make your business secure please email email@example.com or call 020 3358 0090 to be put in touch a specialist in this field.
PCR’s Top Women in Tech 2019: We’ll be highlighting 25 women that have made a positive impact in the industry over the past year, and we need YOU to submit yourself or your colleagues. Email firstname.lastname@example.org now to find out how to submit your entry.
Read the latest edition of PCR’s monthly magazine below: