Leading law practice Irwin Mitchell have recently conducted a survey of 2,129 senior decision makers within business and the results are pretty astonishing.
With just under a year to go until implementation, only three in every ten have started to prepare for GDPR and 35% are unaware of the new rules, including fines for data breaches.
You would like to hope that one sector at least, marketing and advertising, would be completely up to speed; but no, only 34% admitted in the survey that they were aware of the GDPR and 17% admitted that the maximum punishment would force them out of business. Given that event companies are often included in this sector, it would not be too much of a stretch to apply the findings to them as well.
We do need to reign back on the worst case scenario a little, because it is the job of law firms to paint the picture as black as possible, but there is no doubt that any organisation that is not taking the legislation seriously could find themselves in dire straits. The fines are likely to be at their largest for those which cannot demonstrate the measures and processes they have taken to keep data secure and the mechanisms for spotting a data breach.
Firstly, what constitutes a breach? Essentially this is an incident where there is an impact on an individual’s privacy. At one end there is a wholesale hack of customer data, at the other a confidential letter put into an envelope addressed to someone else, with the downloading of un-encrypted data onto an unprotected laptop somewhere in between. Not forgetting of course, the member of staff who leaves you to go elsewhere taking your sales/marketing database with them. Where this begins to impact the business is that in certain instances you need to report the breach to the ICO within 72 hours.
So, if you can’t identify that you have a breach, possibly because you don’t know where all of your data is, how are you going to report it at all, let alone within three days? If you, like 63% of the marketing and advertising companies in the survey, aren’t confident that you can notify the relevant stakeholders within the timeframe, then you are automatically putting yourself in the frame for a fine.
Plus, just being able to identify and, potentially, report the breach isn’t the end of the matter. There is a specified format for the type of information you will need to provide, including the number of records affected and your mitigation procedures. If your data isn’t secure, compliant, your contracts with your Data Processors cast iron and your procedures professional, not only could you be facing a financial penalty, but you could find your business tied up in knots for a considerable period. If you are running a really lean operation, this could prove catastrophic.