We’re now more than seven months on from the European General Data Protection Regulation (GDPR) deadline on 25 May 2018 – how confident are you that your small business is fully compliant?
A new survey of 1,000 small business owners has revealed that half are confused by the rules, according to the Independent.
This indicates that the data of millions of customers and employees are being left at risk as some small business owners admit they’re ‘clueless’ when it comes to data security.
- GDPR for small businesses
- 90% of small businesses unprepared for GDPR deadline
- What will 2018 bring for the self-employed? Our top 7 predictions
- What type of business insurance do I need?
The survey was commissioned by Aon. Chris Mallett, a cybersecurity specialist for the firm, said: “As the results show, many businesses could be in breach of GDPR – most likely without even realising it.
“Visitors books, allowing staff to use their own mobiles for work purposes and even seemingly minor things like distributing sponsorship forms around the office carry risk.
“Yet these sorts of things are commonplace among businesses big and small across the UK.”
But we all know that not knowing the rules is never seen as a valid excuse, so read on to see if you’ve made these common security mistakes. They could see your small business slapped with a fine running into the millions.
Common GDPR mistakes small businesses make
1. Letting staff use their own computers
More than a quarter of businesses surveyed made this mistake. Letting your staff use their own laptops and devices for work purposes allows unencrypted customer and employee personal data to be stored at home.
2. Keeping a visitors book
10 per cent of businesseses made this mistake. It’s a seemingly harmless way for guests to note their visit to your place of business, especially if you’re in the hospitality industry. But the problem is that this presents visitors with freely available information on others.
3. Keeping a paper diary
Keeping a paper diary might be preferable to doing everything on a screen for some business owners. But as it could include private details about customers, this too poses a privacy risk. 26 per cent of businesses polled made this mistake.
4. Circulating printed sponsorship forms
This is a clear GDPR contravention, as printing and distributing sponsorship forms tends to include names and addresses of individuals. One in ten businesses made this mistake.
Other privacy mistakes
Further contraventions by the small businesses polled include cases studies in training materials that reveal the full details of featured individuals (25 per cent), and distributing promotional images of employees that display their unobscured name badges (16 per cent).
Not disposing of paper records properly
Paper records were another hazy area for those surveyed. The results revealed that not all small businesses are aware of their responsibility to get rid of paper records securely and confidentially.
More than half aren’t aware of their obligation to get rid of paper customer records. That figure jumps to 71 per cent for staff records, 78 per cent for meeting minutes, and 81 per cent for visitor books.
Further to that, 10 per cent don’t realise that losing paperwork can count as a data breach and 36 per cent aren’t aware that posting, emailing, or faxing personal details to the wrong person could also be a breach, according to the Independent.
Duty to notify the Information Commissioner’s Office
Did you know that you’re obliged to notify the Information Commissioner’s Office, as well as all those affected, if your business has a data breach that affects individuals’ rights? Six in 10 of the small business owners polled didn’t.
With the risk of being fined running high in the event of a data breach, it may come as a surprise that 45 per cent of business don’t even consider it when taking out business insurance.
Are you fully up to speed on the rules around GDPR? Let us know your thoughts in the comments below.