Lorega offers expert help and advice  should your company or data be compromised

Let alone the millions of small business owners across the UK. The recent example of an unauthorised log on the SAGE database is a good example.

The Data Protection Act (DPA) is an area of legislation which has been with us in its current form since 1998, the same year Google was incorporated, a time before Facebook, Twitter, YouTube or any number of websites and apps holding personal data were born. It came about at a time when ‘data' stored in large data centres was controlled by data owners. But we've come a long way since 1998 and the way we use technology to create and share data has changed dramatically too.

Despite a number of minor changes and directives from the European Commission, there hadn't been any significant changes to the DPA until 2012, when the European Commission published its draft‘ General Data Protection Regulation' (GDPR). It has taken four years of debate and discussion to finalise and publish the regulation, which businesses must begin to work through and implement by 25th May 2018.

Despite the UK voting to leave the European Union in June, Brexit won't affect the UK from complying with the EU regulations, for two very simple reasons. Firstly, businesses who have European customers, suppliers or subjects will need to comply with the regulations and secondly, because the changes have been largely introduced in conjunction with the UK's Information Commissioners Office (ICO) who have already stated that they will still expect companies to comply with the GDPR.

So what do you as a business owner (and also as a ‘data subject') need to know?

The GDPR applies to any business which owns personal data; known as the controller. Personal data, or ‘Personal Identifiable Information' (PII) is defined as "information relating to a person who can be identified, directly or indirectly" which can include: name, identification number, address, or other online identities. The data doesn't have to belong to your customers - it can also apply to your employees too.

It also applies to any business that holds data on the request of another party, known as the processor. The GDPR will therefore be applicable to you, if you provide data storage or if you are a law firm or insurance broker and if you are currently governed by the DPA.

What's changing?

Currently, under the DPA, small businesses are required to keep personal data secure and up to date, should only hold the data for as long as it is needed and for a specific purpose. Under the GDPR, the rights of the ‘Data Subject' (the individual whose personal data you hold) have been strengthened and include a number of rights, including the need for you to gain consent from them in order for you to process their data. Their rights also include the right of the individual to be ‘forgotten', meaning they can request that you remove all data you hold about them.

Lawful and fair processing

It has always been important to be clear about what you're collecting data for and should be understood before such data is obtained. The GDPR, however, also requires that it must be made clear to the data subject how long you will be storing their information and what their rights are, for example, the ‘right to be forgotten'. Businesses need to ensure they are conducting lawful and ‘fair processing' of information. Every business that is affected by this should therefore consider carefully whether they communicate this in a clear and readily accessible manner.

Notifications, fines and reputational damage

If you are unlucky enough to experience a data breach, you are required to notify the ICO "without undue delay and, where feasible, not later than 72 hours after having become aware of it" (EU2016/679 (85)). Dependent upon the nature of the breach, you may also have to notify the data subjects that a breach has occurred.

The ICO have made it clear that they are going to impose punitive fines and sanctions on organisations that are in clear violation of these rules and the fines are not insignificant. For example, late notification to the ICO (more than 72hrs) could mean a fine for your business of 2% of your annual worldwide turnover and, for more serious infractions; this could be increased to 4% of your annual worldwide turnover. The ICO also has the ability to levy fines of up to €20m, approximately £17m, depending on the size, scale and nature of the breach. Whilst the principal aim of the GDPR doesn't set out to tarnish reputations, it is important to note that the ICO publishes names of organisations that have received any form of undertaking, sanctions or fines on its own website, for all to see. This means there is a very real risk to your reputation, even if the sanctions are not substantial in monetary terms.

Cyber attacks

The possibility of a cyber attack that can result in a data breach is very real, with our recent research showing that 75% of small businesses have experienced a cyber threat. A number that is expected to continue increasing as cyber criminals target more and more small businesses owners.

Ensuring you are compliant with the updated GDPR will help to protect your business to a certain level but by taking out Lorega's ‘Cyber Recovery Insurance', will also give you access to a ‘Cyber Expert' to guide you through the process, liaise with regulators and communicate with your customers should anything go wrong.

Visit to find

out how Lorega can help you to survive

a loss of personal information, following

a data breach or cyber attack.