How to avoid the most common mistakes that could cost SMEs time and money…
“There are 5.51 million SMEs in the UK, which make up 99.9% of private sector businesses, but they often struggle with GDPR compliance due to a lack of awareness and understanding of the regulation’s requirements, resulting in inadequate data protection measures.
Some businesses, particularly small ones, may not fully understand the regulations or might mistakenly believe that GDPR does not apply to them because the UK left the EU. However, the UK has its version, known as the UK GDPR, which has similar rules.”
- Retaining unnecessary data: “The more personal data you collect, the more you’ll need to invest in storage space and data protection, which will cost you both time and money. Additionally, under the GDPR, personal data should only be retained for as long as it is needed to fulfil the purposes for which it was originally collected. If you must keep certain types of records for a specific period, such as financial, medical, or legal documents, implement a data retention policy. This policy should outline how long various types of data are kept and detail your processes for managing, storing, and disposing of records. Regularly review your data and securely destroy personal information once it’s no longer needed.”
- Failing to renew your ICO registration: “If you handle or use personal information, you will need to register with the ICO and pay a fee. Processing means taking action with a person’s personal data, from storing IP or MAC addresses to shredding documents containing personal data. These data protection fees are due annually and failure to pay can result in fines of up to £4,000. However, most SMEs only need to pay £40 to £60 per year. To avoid fees, set a reminder for your ICO registration renewal date well in advance. If possible, set up an automatic renewal to save you from having to remember and regularly review your organisation’s data protection practices to ensure compliance with ICO requirements.”
- Not properly complying with Subject Access Request: “GDPR states that those using your service or product have the “right of access” to their personal information. This allows them to request any personal data you hold about them, known as a subject access request (SAR). Your organisation must know how to properly comply with SAR requests, otherwise the requester may use a court order for you to comply or seek compensation. You need to respond to a SAR within one month of receiving it. The first step is to designate a data protection lead. Verify the requester as soon as possible by asking specific security questions, like reference numbers. Make sure there is a mutual understanding of what they’re asking to see. If someone other than the data subject submits the SAR, ensure they have the authority to access the information. Identify and redact any information related to third parties to protect their privacy. Alongside providing the requester’s personal data, include your privacy information in your reply to explain why and how their data is held.”
- Emailing sensitive information to the wrong person: “This is a common problem, as the autofill feature in the ‘To’ field predicts who the recipient of the email is as soon as you start typing. This makes it more convenient to navigate your address book but you also risk accidentally sending personal information to the wrong person if you’re not careful. By law, you must report any personal data breaches to the ICO within 72 hours. And attempt to recall the email in the ‘Sent Items’ folder. If you can’t recall it, don’t be afraid to follow up and ask the contact to delete the original email. In the future, consider disabling autofill for work emails. Additionally, use Data Loss Prevention tools like Email DLP to scan emails for sensitive data or block emails from being sent to unintended recipients.”
- Opening suspicious links and attachments: “Occasionally, you might receive emails from unknown senders or encounter suspicious links and attachments. These could be phishing attempts or other forms of cybercrime that can damage your computer and systems. To protect your devices, use antivirus software on all work computers and laptops and restrict staff from downloading third-party apps from unknown sources as these are not vetted for security. Furthermore, ensure that all your IT equipment is running the latest software and firmware updates from developers and vendors. To ensure software is consistently updated, you can set operating systems to automatically update. Make sure every device has a firewall enabled to provide security between your internal and external networks.”