According to the government’s Cyber Security Breaches Survey 2017, nearly half of all UK business suffered a cyber breach or attack over a 12-month span.
The most common breaches were fraudulent emails – for example, staff could have been sent emails trying to fool them into disclosing passwords or financial information. Viruses, malware and ransomware were also common.
Interestingly, the survey also found that businesses holding electronic personal data on customers were much more likely to suffer cyber breaches – 51 per cent compared to 37 per cent of those that did not.
Recovering from a cyber attack can be expensive, and as a result it’s only to easy for a business owner to treat this as the real cost of a security breach. Yet, it is not the only cost. A cyber-attack, particularly one in which personal data is exposed, can have serious implications for a business’ reputation, and in the long run, this can do far more damage.
We asked some businesses why data protection is so important for a business’ reputation, and here’s what they had to say:
“Data and its protection has changed so much since the old data protection rules were written,” said Abby Blackmore, head of operations at Impero.
“With the growth of the internet and computers in general, we now have more data than ever at our finger tips. Whilst we can’t fathom doing our jobs without this huge cloud of data, it means we are much more open to data breaches.
“It is important to be on top of your data protection as clients and employees are now much more aware of the importance of their data and its safety and it is a very important responsibility they have trusted us with. I think companies need to show that they have taken that responsibility seriously, fines or no fines!”
Andy Carr of Spoon Customs, a handmade custom bike company, said: “We’re tiny, and don’t handle much data yet, but our customers expect the same level and standards as they would from anyone else.
“We use a lot of outsourcing or web-based services such as Mail Chimp and Squarespace, which means a lot of our sensitive information is held or managed securely by these companies. We review our internal processes as needed.
“I guess anxiety drives that, rather than immediate business needs just now, but as we get bigger, we’ll need to think about how we scale all aspects of the business in a way that’s safe and manages risk for us and our customers.
“The threat of losing customer trust, loyalty and confidence is potentially far more damaging than the financial fine when you consider the long-term cost to your brand’s reputation. Your customers need to know you manage their data in a compliant, rigorous and respectful way,” said Helen Goldberg, founder, LegalEdge.
It’s not unusual for people to be a little precious about giving away their personal data. Think about the last time you wanted to purchase something online, but you weren’t familiar with the website – did you hesitate before entering your card details?
We know this is a common experience of modern life – nobody wants to enter their details and be bombarded with emails and calls from that same company and other related third parties from there on out.
We know business owners need to be careful with the personal data they hold, that they need to be respectful of their customers details. Yet one thing that is easy to overlook is how business store employee details.
“Some aspects of data protection are about common sense. This is one such area. We use consultants, to help us understand our exposure, and then we put simple systems in place to help us manage it. It’s not that onerous in this case, as I still run everything,” said Carr.
“At Impero we regularly review that our HR software is compliant, and that knowledge of employee data is available only to those who need it. Keeping the circle of access tight, and the software top tier, allows us to be sure we are keeping privacy protected,” said Blackmore.
Of course, very soon, simply over-looking this area of data protection will not be an option – or rather, to do so could risk heavy fines.
The General Data Protection Regulation (GDPR), comes into force on 25 May this year, at which point any business or organisation holding EU citizen data, regardless of whether they are an employee or a customer, will be held to exacting standards.
Get with the times
So, what is GDPR? Essentially, it’s a new list of criteria that businesses and organisations have to meet to unify data privacy laws across Europe.
Don’t let this mislead you though – GDPR is designed to protect all EU citizens data privacy. This means that, even after Brexit, if a business has any EU customers, they are still obliged to be compliant with the new rules.
Under GDPR, EU citizens will be given the right to access their data, their right to be forgotten, and the right to a notification if there is a data breach, among other things.
The conditions for consent are also going to be strengthened – businesses and organisations will have to be entirely transparent about what the data will be used for, how it will be processed, etc. You can find out more about the requirements for GDPR here.
“GDPR feels like a huge beast when you initially look at it, with far reaching consequences,” said Blackmore.
“The first step, as with any big looming project, is to break it down into more manageable buckets of work, prioritising them, and just working slowly but surely to a good place.
“Once your initial audit is done, you inevitably find that you are actually already compliant in a lot of areas, and others just need tweaks rather than massive overhauls. Breaking through the stigma and fear of how big this change feels is the first step.”
Sign up to our newsletter to get the latest from Business Advice.