Worker at the office

GDPR: What is it & do small businesses need to comply?

Data and privacy seem to be the buzz words at the moment, and rightly so. With us now living large amounts of our lives online, data is being collected, processed, stored, and used in ways we have never imagined. In the wrong hands, the personal data collected can be both priceless and deadly. 

So, in an effort to protect the citizens of European Union (EU) countries, the EU government devised a set of stringent rules for all companies trading in the EU to protect consumer data as if it were a state secret. And even though the UK has now left the EU, the data protection regulations still apply. 

Just like most laws and regulations, though, they can be confusing, but this is not a time to be complacent because failure to understand and/or comply could see you and your business in very hot water indeed. 

So, what exactly is the UK GDPR and why is it important for your small business?

GDPR – General Data Protection Regulation

The General Data Protection Regulation is a standard for consumer rights and the protection of consumer data. Born out of need, the new (-ish) regulation, which was established in 2016 and came into effect in 2018, replaced an outdated model from 1995.

Essentially, GDPR requires businesses to go above and beyond to protect the privacy of their customers and any data subjects by complying with laws relating to transactional data incurred within the UK and member states and the exportation of such data across borders – whether those borders be tangible or not.

Consequently, businesses must ensure that information is:

  • used fairly, lawfully, and transparently
  • used only for stated and clearly expressed purpose
  • used in a way that is acceptable, appropriate, and limited to what is deemed necessary
  • correct and, where required, updated regularly
  • expunged when no longer needed
  • handled in a way that guarantees appropriate protection against unlawful or unauthorised processing, access, loss, destruction, or damage

Like everything EU related, it is about legal cohesion, so instead of a bunch of different laws stipulated by each country and about as varied as EU culture itself, organisations now only have one unified regulation for all member countries within the EU. In theory, this should make things easier for businesses as the amount of red tape is reduced, but, unfortunately, as the regulation standards are so high, companies are often required to invest large amounts of money to ensure compliance with regulation guidelines.

Although the UK is no longer a member of the EU, GDPR still applies and is overseen by the Information Commissioners Office (ICO).

What types of data do the new regulations cover?

Data is currently one of the world’s most important assets. With everything becoming electronic, the very essence of who we are can be found online – from where we live and what we like to how we voted in the last election. Therefore, there is a growing concern over how that data is handled and whether it is being kept safe and secure.

The GDPR, then, is aimed at protecting data such as:

  • Basic identifying information such as names, addresses, and ID/social security numbers
  • Web data including IP addresses, cookie data, location, and RFID tags
  • Health and genetic data
  • Biometric data
  • Racial or ethnic data
  • Political opinions
  • Sexual orientation

Do small businesses need to comply with GDPR?

Simply put – if your business is in any way processing any of the above-mentioned data points from citizens within the UK or EU states, then you are legally required to comply with the laws. 

Whether large or small, based in the UK, the EU or even the USA, any business processing EU citizen data needs to comply with GDPR. 

Notable GDPR fines

It’s been nearly 5 years since GDPR came into effect and the number of fines imposed by the ICO has been steadily increasing.

In fact, from 2020-2021 the value of the fines issued by the ICO to businesses across all industries was £42 million. The sectors with the most number of fines from 2018-2022, according to CMS, were: Industry and Commerce and Media, Telecoms and Broadcasting. These sectors were also hit with the highest fines.

Let’s take a look at some eye-watering GDPR fines:

Chart of highest GDPR fines in the UK
  1. British Airways was fined £20 million in 2020 for failing to protect the personal information of more than 400,000 customers. The issue came to light when the organisation was the victim of a cyber attack in 2018 and customer data was potentially accessed by malicious actors.
  2. Marriott International was also fined for failing to protect customers’ personal data and had to pay £18.4 million in 2020 when information was compromised in a cyber attack in 2014.
  3. Clearview AI was fined £7.5 million in 2022 for lacking the appropriate consent to collect personal data. Clearview AI collected 20 billion images of people to keep in a database, without informing them what or why it was doing.
  4. Interserve Group was fined £4.4 million in 2020 after a lack of cyber security measures led to a cyber attack which exposed the records of over 110,000 employees.
  5. A fine of £1.35 million was levied on Easylife Ltd for using illegally collected health data to profile customers and target them with health-related products.

However, it’s not just the big names that are fined by the ICO. Small and medium businesses across the UK have received 5 and 6 figure fines for breaching data protection regulations such as having insufficient legal basis for data processing and insufficient technical and organisational measures to protect data.

How important is data privacy for UK consumers?

The worry of being fined is not the only reason why businesses should be concerned about their data protection and privacy policies.

Did you know that 32% of consumers have changed service providers, or otherwise ended relationships with brands over privacy concerns? This is according to Cisco’s annual Consumer Privacy Survey.

Consumer trust in organisations is dwindling. According to a report by Salesforce, 65% of customers stopped buying from businesses they don’t trust, and this is in large part because of how they perceive businesses are using (or misusing) their data.

We all know that data is a driving force for growth, but this rising focus on collecting and processing as much data as possible is driving a wedge between companies of all sizes and their customers.

GDPR has changed the landscape for organisations, but it’s consumers who are most concerned and willing to take action to protect their data. Businesses that can demonstrate that they can be trusted with consumer data will come out on top and be rewarded with increased customer loyalty and an influx of privacy-conscious new customers. According to research by Truata, 60% of consumers say they would spend more money with a brand they trust to handle their personal data responsibly.

So what can organisations do to increase consumer trust? According to Cisco’s survey, consumers want businesses to: 

  1. Provide clear information on how data is being used.
  2. Refrain from reselling customer information.
  3. Comply with privacy regulations.
  4. Allow customers to configure privacy settings freely.
  5. Take action to avoid data breaches that might expose customer data.

Compliance spending

You might be wondering how much will this cost my business and can we afford it?

A survey from Statista shows that 27% of European small businesses spent between 1-10 thousand Euros on GDPR compliance in 2019. Twenty-four percent spent up to €50 thousand, another 10% up to €100 thousand and just 2% spent more than that, up to one million Euros. The remaining 32% spent less than a thousand Euros.

However, according to research from Cisco, organisations of all sizes, across 26 different countries, spent on average $2.7 Million on privacy compliance in 2022. What’s more, according to the same study, the estimated average benefits from privacy spending in 2022 were $3.4 Million. That’s a 1.8 return on privacy investment.

Who is responsible for compliancy?

There are more roles that are responsible for playing their part in GDPR compliancy than you might think. Whether it be personally or professionally, our society functions on a system of integrated networks – as do our businesses – so responsibility falls at the feet of many, not just one, and those people will often be the data controller, data processor, and data protection officers. But external contractors, such as cloud providers, can also be liable, which is why it is essential that you partner with service providers aware of the regulations and what needs to be done to comply with them, so both your customers and your business remain protected.

Compliancy is necessary

To be compliant, you need to know the laws or trust that the people you have teamed up with know them and know what needs to be done so that you are complying with them – NetworkIQ can help. Call our expert team today to learn more.

Read our latest insights

Comment (1)

  1. Edna

    In January 2018 I just closed my Etsy store and launched my own online store only to have to deal with the GDPR. It was hell, mostly because I was stubborn and didn’t want to pay for someone to fix it so I had to do it myself. If I had to go through that again I would 100% delegate, so much time wasted not to mention the fact that I was a nervous wreck.

Leave a comment

Your email address will not be published. Required fields are marked *