Small business owners still clueless about GDPR | Confusion over data privacy rules leaves SMEs vulnerable to fines.
Small business owners across the UK admit they are still “clueless” about GDPR, in a new survey.
50% of the 1,000 polled confessed to being confused by data protection and privacy rules. As a result, business owners and employees are making mistakes, or have unlawful processes which could attract multi-million pound fines.
Over 25% of businesses allowed staff to use their own computers, tablets and phones for work purposes. This contravenes data privacy rules, as personal data could be stored unencrypted at home. Also, one in ten said they have visitor books in their reception, where visitor details can be seen by anyone.
Paper based diaries used by 26% of the businesses polled, could contain private information which can be easily misplaced. And 10% said the circulation of printed sponsorship forms containing names and addresses was common in their offices.
Clueless about GDPR? Confused about data privacy rules?
Chris Mallet, a cyber security specialist at Aon, which commissioned the research, said:
As the results show, many businesses could be in breach of GDPR – most likely without even realising it. Visitors books, allowing staff to use their own mobiles for work purposes and even seemingly minor things like distributing sponsorship forms around the office carry risk. Yet these sorts of things are commonplace among businesses big and small across the UK.
The research also found a 25% had used training materials featuring full details of real-life case studies. 16% had used promotional images which included members of staff wearing their name tags, making them publicly identifiable.
More than half of the respondents said they did not dispose of paper based customer records securely and confidentially. It was a similar story for staff records (71%), visitor books (86%) and minutes from meetings (78%).
Four in ten had no idea that the loss of paperwork could be a data breach, while 36% were unaware personal data posted, emailed or faxed to the wrong person could also be a breach.
Six in ten had no idea the ICO must be notified of data breaches, where individuals’ rights are affected. And around half did not know that all individuals affected must be informed as well.
Currently, almost 45% of businesses have no insurance whatsoever in place to protect them against cyber attacks or data breaches.
Mr Mallett added:
Such a significant proportion of businesses not having cyber insurance is a major worry. From talking to our customers we know that many simply can’t guarantee they’re able to successfully defend against a cyberattack and that’s not necessarily their fault – even major corporations are vulnerable. How a breach is dealt with by a business is vital, though, and if it’s not done in accordance with GDPR that business could receive a significant fine as well as damaging relationships with customers and losing out on revenue.
Sources and credits: Know the data privacy rights of EU citizens