Data Protection for Small Business (SMEs)
Why planning your time is important
As experienced consultants we’re used to working with clients to help them plan their time and resources. And because we work with GDPR for small business owners – SMEs, we’re very used to business owners not having enough time to manage all the things they need to be doing. And here we are, asking you to make even more time for tasks which may seem unpleasant, or even daunting.
But take our word for it, if you are able to book some time in you will definitely not regret it. And since you are booking time for this, why not have a look at scheduling your time for other things as well? Recent surveys show that managing time as an SME can definitely help your business!
So, what’s all the fuss about GDPR?
You’ll (hopefully) have heard about the new data protection regulations coming into place across all of the EU. This new regulation will replace all 29 individual Member State’s directives with one set of rules for all. The core of the new laws holds an individual’s right to privacy, and protection of their personal data, as the most important aspect.
This means that any business who trades with or in the EU, and has data (information) on living people who are in the EU, will be affected. Think for a moment about how much data you use every day, about your clients and customers, your employees, your suppliers, your marketing prospects, and other third parties. It’s a lot! This includes electronic data, paper copies, old invoices in box files, business cards in rolodexes and that filing cabinet in the corner of the office that no one has a key for any more.
Safe and secure?
And other companies likewise have a lot of information about you, as a private individual and as a business person. Some of it you won’t even know about. Possibly you won’t care in many instances what information these companies have about you, or what they do with it. But increasingly we live in a world where digital boundaries are being carelessly managed, and breaches are more common. We should all care what information about us is held, why, and where, and how safely it is being looked after. And we should be mindful of our obligations for the data that we hold on others and what it means for ensuring the correct GDPR for small business.
Recent highly publicised breaches of large companies such as Sony, TalkTalk, the NHS, Equifax and Deloitte highlight how sophisticated and aggressive cyber attacks are becoming, and how devastating they can be to individuals and to companies alike.
SMEs should worry about cyber security
Under the new regulations company responsibility for the data they hold will be greatly increased. The fines will also increase enormously, especially for blatant wrongdoing – ignorance will not be a valid excuse! The regulations will be monitored in the UK by the Information Commissioner’s Office, otherwise known as the ICO. The ICO will be taking their duties to actively investigate and look for breaches very seriously, which means you should too.
Cyber security may seem to many SMEs to be a catchphrase more suited to the big companies than to small businesses. And it’s true – large companies spend a lot of money on cyber security, and have whole teams in place. Yet, as we have seen from the above examples, even the big companies suffer from breaches.
The chances that your business has suffered some form of cyber attack in the last 12 months are actually pretty high! Staggeringly, reports confirm that more than 1,000 UK small businesses are attacked in some way each day.
Why target SMEs?
Well, often it isn’t personal – malware and ransomware is specifically designed to trawl through websites looking for weak spots and back doors. Smaller businesses are vulnerable because their websites and email systems, laptops and administrator profiles are less sophisticated and easier to hack. Entrepreneurs and sole traders spend more time on the move, using mobile wi-fi spots, and mingling business use and personal use for their mobile devices.
However, time and again the key weak link is human error, and again this is where smaller businesses are far more vulnerable. It is less likely that regular training and awareness is delivered to SME employees about cyber security and basic information and data privacy. This means unfortunately SMEs are open to a wide range of email scams, trojans, viruses in attachments and links, redirected invoices, poor security practices, outdated software, and man in the middle hijacks, often without realising, and usually with devastating consequences.
Crying all the way to the bank
Larger businesses may be able to lose a few thousand pounds from their bank account and still carry on trading – but think about how that would affect your business. Could you afford to lose a few thousand pounds and not be affected? What about the entire contents of your business bank account?
Like all insurance and risk policies, you are usually far better to invest in protection before you need it than afterwards. All cyber security professionals will swear that prevention is better than cure!
Next week, we’ll introduce you to some first steps in reviewing your business for GDPR compliance. Remember to book time each week for your tasks, and think about who can support you, either within your business or externally.
Remember Sphere can support all your data protection guidance, including our practical toolkits full of templates and tools. Call 01442 345398 or email firstname.lastname@example.org.