The effect of the GDPR on SMEs

The EU’s General Data Protection Regulation (GDPR) will come into effect on 25 May 2018, and will replace current legislation, the Data Protection Act 1998 (DPA). The government has also confirmed that, post-Brexit, the UK’s data regime will mirror the GDPR, as evidenced by the recent Data Protection Bill.

The aim of the GDPR is to protect the personal data of customers and regulate the conduct of businesses, including small and medium-sized enterprises (SMEs). It will affect any business that collects, processes or stores personal data from EU based individuals, including businesses based outside the EU.

In the context of SMEs, whilst the concept of the GDPR has not changed much from the DPA, there are additional obligations. One of the key changes is the significant increase to penalties which could threaten the existence of an SME. Fines are punitive. Non-compliances can attract a fine up to 2-4% of annual global turnover or €10-20 million - whichever is greater.

The consequences under the DPA

Currently, the Information Commissioner’s Office (ICO) can apply fines of up to £500,000 for contraventions of the DPA.

In June 2017, a small business, Boomerang Video Ltd, was fined £60,000 for a cyber attack in which details of over 26,000 customers could be accessed. The ICO found that Boomerang failed to take basic steps to stop its website being attacked.

According to an ICO enforcement manager: “Regardless of your size, if you are a business that handles personal information then data protection laws apply to you.” Indeed, the hefty fine demonstrates the increasingly hard-line approach the ICO is adopting, and has made many SMEs sit up and take note.

Whilst Boomerang’s fine was substantial, when compared to the fines faced by larger companies it can be seen that the ICO have tried to be proportionate, taking the company’s size and resources into account.
Following the Boomerang attack, the ICO said “If a company is subject to a cyber-attack and … they haven’t taken steps to protect people’s personal information … they could face a fine … And under the new [GDPR] … those fines could be a lot higher.”

The ICO fined UK companies a total of £880,500 in 2016. Had the GDPR been applied, this figure could have been up to £69 million.

The consequences under the GDPR

The GDPR’s two tiered sanction regime will see organisations receiving fines, depending on the gravity of the violation:

  • Lower tier fines of €10m/2% of annual global turnover will apply to less serious infringements, such as a company’s failure to:
    • Report breaches within the 72 hour window
    • Cooperate with supervisory authorities
    • Implement technical and organisational measures to ensure data protection
    • Maintain written records.
  • Higher tier fines of €20m/4% of annual global turnover will apply to data breaches which relate to:
    • Data subjects’ rights
    • International transfers of data
    • Failure to comply with a supervisory authority’s investigation
    • The basic principles for processing data including conditions for consent.

Each breach is considered by the ICO on a case-by-case basis, and various factors are taken into consideration, including:

  • The nature, gravity and duration of the infringement.
  • Actions taken to mitigate any damage.
  • Any relevant previous infringements.
  • The types of personal data affected.
  • Any other aggravating or mitigating factors which apply to the circumstances of the breach.

If the Boomerang breach had occurred after 26 May 2018, subject to the severity, they could have faced a higher tier fine of up to €20 million or 4% of their annual turnover. That would be catastrophic for them and most SMEs.

Is the GDPR future that bleak?

Whilst these figures are terrifying for any SMEs, we suggest there is hope, given the ‘proportionate’ approach favoured by the ICO under the DPA regime. The ICO have considered the seriousness of the violation and the resources of the SME and have imposed their fines accordingly. Therefore, we are hopeful that under the GDPR, the ICO will continue to recognise that SMEs have limited resources and capabilities than larger companies and will exercise discretion - provided the SMEs can demonstrate they’ve taken a proactive approach to meet the requirements of the GDPR.

That said, the degree of discretion remains uncertain and, considering the ICO’s statement following the Boomerang attack, SMEs should be sure to comply with the GDPR and document all actions undertaken to avoid (proportionate, but still punitive) fines which may have an irreparable effect on smaller businesses.

If SMEs need a reminder of the scale of the pain they only need to look to the TalkTalk breach. Their failure to prevent a cyber-attack in 2015 resulted in a fine of £400,000 in 2016. Under the GDPR regime this figure could have been closer to £70 million.

Related items:

Read other items in the London Market Brief - September 2017