Small business owners polled for a new survey have admitted they are still “clueless” about GDPR – leaving the personal data of millions of employees and customers at risk.
Half of the 1,000 questioned were confused by the rules when it came to data protection and privacy regulations.
As a result, owners and employees alike have made mistakes or have procedures in place which could have resulted in a multi-million pound fine for the business.
More than a quarter of those polled allowed staff to use their own computers, tablets and phones for work purposes which contravene rules as personal data could be stored unencrypted at home.
And one in 10 revealed they have visitor books in their HQ – where visitors can freely see details of others who have been there previously.
Paper diaries were used by 26 per cent of the businesses polled – which could contain private information or customer details and be easily misplaced, while 10 per cent said the circulation of printed out sponsorship forms – which often contain names and addresses – was common at their place of work, which is another contravention of GDPR rules.
“As the results show, many businesses could be in breach of GDPR – most likely without even realising it,” said Chris Mallett, a cybersecurity specialist at Aon which commissioned the research. “Visitors books, allowing staff to use their own mobiles for work purposes and even seemingly minor things like distributing sponsorship forms around the office carry risk.
“Yet these sorts of things are commonplace among businesses big and small across the UK.”
The research also found a quarter had used training materials which featured the full details of real-life case studies. Sixteen per cent had used promotional images which included members of staff wearing their nametags – making them publicly identifiable.
More than half also revealed they did not dispose of paper customer records securely and confidentially and it was a similar story for staff records (71 per cent), visitor books (86 per cent) and minutes from meetings (78 per cent).
Four in 10 did not know the loss of paperwork could be a data breach, while 36 per cent were not aware personal data posted, emailed or faxed to the wrong person could be a breach too.
Six in 10 had no idea the Information Commissioner’s Office (ICO) have to be notified of data breaches where individuals’ rights are affected and around half did not know all those affected must be told as well.
Currently, almost 45 per cent of businesses have no insurance whatsoever in place to protect them against cyber or data risks.
Mr Mallett added: “Such a significant proportion of businesses not having cyber insurance is a major worry. From talking to our customers we know that many simply can’t guarantee they’re able to successfully defend against a cyberattack and that’s not necessarily their fault – even major corporations are vulnerable.
“How a breach is dealt with by a business is vital, though, and if it’s not done in accordance with GDPR that business could receive a significant fine as well as damaging relationships with customers and losing out on revenue.”