By Simon Mitchell
I WOULD be surprised if you haven't heard about GDPR. It's in the news and there have been some good articles published in Business Times over the last year or so (www.business-times.co.uk - search GDPR). The new legislation came into force in May this year and affects all who hold any personal information. If you have not considered this, then time could have run out and you may face serious consequences. Infringement of privacy rights now attracts a fine of up to ?20 million, with a lesser penalty of up to ?10 million for data breach.
The latest Cyber Security Breaches Survey, published by the Department for Digital, Culture, Media and Sport in April 2018 and available for download from the gov.uk website, estimates that 43 per cent of businesses suffered one or more data breaches in the last 12 months. A good proportion of these had direct consequences, including loss of personal information. This may well be an underestimate, as many breaches are likely to remain undetected, or not reported. GDPR now imposes a legal obligation to report breaches and failure to do so could lead to a much worse situation.
There are various estimates about the costs associated with loss of personal information. You only need to consider the need to notify affected individuals, credit monitoring and compensation, involvement of the regulator, IT consultants and legal advisers, as well as fines, business interruption and reputational damage, to gain some idea of the potential cost for your business. Who do you talk to if you suffer a breach?
Even if you sell B2B and have a handful of employees, you still need to act and the Information Commissioner's Office is probably a good place to start. They issued an introductory guide to GDPR in May 2017. Entitled 'Preparing for the General Data Protection Regulation (GDPR) - 12 steps to take now', this and other helpful information is available through download from the ICO website. If you have matters in hand, you may want to validate your security measures against recognised accreditations, such as Cyber Essentials. You may even consider ISO27001 - best practice for information security management. There are also online tools and consultants who can provide a 'face to face' advice.
If not done already, you should consider insurance. You would expect me to say that - I am an insurance broker! However, it is surprising how many business managers do not really understand how their insurance policies would protect them following a data breach. As an absolute minimum, I would recommend that all businesses have Directors & Officers' Liability insurance. This will protect individual directors and senior managers against personal liability for wrongful acts, including failure to set appropriate cyber security standards for own and outsourced data handling systems. Importantly, these insurance policies need to extend to include nominated Data Protection Officers. They can include Corporate Legal Liability, although exclusions around credit card transactions and contractual liability are common.
As well as Management Liability insurance, my advice would be to take out Data & Cyber Liability insurance with access to a good quality Cyber Response service. An increasing number of insurers now offer this class of insurance. However, beware as policy covers do differ, so do not buy based on price alone.
For a copy of Towergate's Cyber & Crime brochure, which includes a useful self-assessment, or an initial and free consultation about cyber insurance needs, contact Simon Mitchell, Account Director, Towergate Insurance, Northampton 01604 887325 (email - firstname.lastname@example.org). Simon is a Chartered Insurance Broker with more than 30 years' experience and a wide range of knowledge about insurance for business. This includes specialist advice about emerging risks such as cyber crime and terrorism.