A New Era of Regulatory Mega Fines: How SMEs Should Respond
In analysis / By Phil Muncaster / 25 July 2019
The last couple of weeks have seen a flurry of regulatory activity in the data protection space, spelling an end to the GDPR honeymoon period and trouble for some big-name brands. As fines hit astronomical sums, SMEs could be forgiven for thinking that they’re flying too low under the radar to warrant attention themselves. They’d be wrong to do so: no organisation is above the law and smaller firms have already received fines.
Now is the time to ensure you’re doing all you can to protect customer data. It could even be a differentiator for your business.
A fine time
When UK regulator, the Information Commissioner’s Office (ICO), issued a statement on 8 July 2019 it was a moment that industry watchers had been long waiting for. Despite a €50m fine for Google earlier this year, there had until that point not been one issued for a data breach. That all changed in spectacular fashion, as the ICO handed British Airways a bill for a staggering £183.4m. It came after a breach involving digital skimming code which was placed on the carrier’s website, compromising log-in, payment card, and travel booking details, as well as name and address information for 500,000 customers. Although the attack was pretty sophisticated, the ICO was not satisfied with the “poor security arrangements” at the company.
“When you are entrusted with personal data you must look after it,” said information commissioner Elizabeth Denham. “Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”
As if that wasn’t enough, the ICO was in action again a few days later, hitting Marriott International with a £99m fine. This one was interesting as it highlighted the international reach of the GDPR – applying to any global organisation, as long as those affected in an incident are EU citizens. It also showed that organisations can be held responsible for breaches that did not happen on their watch. In this instance, the IT systems of Starwood Hotels were compromised in 2014 but not discovered until 2018 when Marriott revealed a breach of 339 million guest records. The hotel giant was ultimately fined for poor due diligence.
It’s not just GDPR regulators that have been getting all the press recently. In the US, the FTC is reported to be readying a massive $5bn fine for Facebook following the Cambridge Analytica scandal. It would be the largest ever to be levied by the regulator against a tech company and for privacy violations.
The knives are out
All the focus so far has been on these mega fines, and there will surely be more. But for SMEs hoping to keep their heads below the parapet, there’s concerning news: this is only the beginning, and no firm will be exempt. True, a small high street retailer in a provincial town is unlikely to be slapped with a fine of the size levied against BA or Marriott. These are calculated based on the number of customers affected, the harm a breach would cause the victims, and other factors. But even if they don’t run into millions of pounds, fines may still be enough to cripple a small business.
The ICO has a new funding model which will help it dedicate more resources into investigating allegations of non-compliance. It won’t get to them all immediately, but SME owners cannot afford to rely on staying under the radar. In the first year of the new data protection law, there were 89,000 breaches reported to European regulators. By March 2019, €55m had been levied in fines. Although the majority of this was the Google penalty, it still shows that regulators have been handing out smaller but significant sums over the period.
It’s all about perception
The signs don’t look good. A report from insurer Hiscox last year revealed that over a third (39%) of SME owners don’t know what kind of company the GDPR is designed to regulate, while one in 10 said they didn’t think it grants consumers any new rights. This lack of awareness is a concern – hopefully the increased publicity these large fines are generating will change things. However, communications about GDPR were also listed by SMEs as one of the most annoying online trends of 2018, alongside PPI phone calls and website pop-ups. The message is not getting through.
Small business owners need to get on top of this, and fast. Part of the problem with compliance is that it is usually seen as a burden – something to devote the minimum possible resources to in order to get over the line. With GDPR, that will not do. There’s no destination for compliance, nor is there an easy checklist to tick off. It’s all about continual process improvements and ensuring data protection tools remain “state of the art”.
A good way to start would be to see GDPR not as another onerous compliance requirement, but an opportunity to build customer trust and differentiate from the competition on improved security. This would not only help your business to hopefully drive profits, but it would also minimise the chances of a damaging security breach, and all the resulting remediation, investigation, legal, staffing and other costs that are typically associated.
Time for compliance
With that in mind, consider the following list as a rough guide on where to start with GDPR compliance. Although, if you’re struggling, don’t be afraid to reach out to the ICO. The regulator knows that many SMEs have limited resources – the key is to show that you are trying to change things.
- Perform a full data audit to understand what you process, where it flows, and which data is high risk
- Run regular end-user awareness raising exercises for all staff, including real-life phishing demos
- Ensure your third parties are maintaining the same standards of GDPR-compliant security and update contracts to reflect this
- Design and regularly test an incident response plan
- Keep all devices, PCs, servers and software up to date
- Follow best practice standards and frameworks. Start with [Cyber Essentials](https://www.cyberessentials.ncsc.gov.uk/advice/). BS 10012:2017 personal information management system (PIMS) and ISO 27001:2013 information security management system (ISMS) may also help
- Consider outsourcing some or all security functions to a managed security services provider
- Appoint a Data Protection Officer if required
- Apply relevant best practice controls on that data, including:
- Endpoint, network, server and web/email gateway protection, ideally from a single reputable provider
- Tight access controls (least privilege) and multi-factor authentication (MFA)
- Continuous networking monitoring for threats
- Strong encryption for data at rest and in transit
- Pseudonymisation technology
- Mobile device management controls
Above all, remember that GDPR compliance is not a single process that you can tick off and move on. It will require constant attention and a close eye on what regulators are demanding, as requirements may change over time. Follow the ICO for updates.