More than half of those surveyed revealed they don’t dispose of paper customer records securely and confidentially.
Since the GDPR deadline in May 2018 we have been inundated with thousands of PAs that are yet to see their businesses change. This not only puts the personal data of millions of employees and customers at risk but new research suggests that many small business owners are confused by the do’s and don’ts when it comes to data protection and privacy regulations.
As a result, owners and employees alike have made mistakes or have procedures in place which could have resulted in a multi-million pound fine for the business. More than a quarter of those polled allow staff to use their own computers, tablets and phones for work purposes which contravene rules as personal data could be stored unencrypted at home.
One in ten revealed they have visitors books in their HQ – where visitors can freely see details of others who have been there previously.
Commissioned by Aon, the research also found paper diaries are used by 26 per cent of businesses – which could contain private information or customer details and be easily misplaced. 10 per cent said the circulation of printed out sponsorship forms – which often contain names and addresses – is common at their place of work, which is another contravention of GDPR rules.
Chris Mallett, cyber-security specialist at Aon, said: “As the results show, many businesses could be in breach of GDPR – most likely without even realising it.
“Visitors books, allowing staff to use their own mobiles for work purposes and even seemingly minor things like distributing sponsorship forms around the office carry risk. Yet these sorts of things are commonplace among businesses big and small across the UK.”
The research also found a quarter have used training materials which feature the full details of real-life case studies. 16 per cent have used promotional images which include members of staff wearing their nametags – making them publicly identifiable and it’s a similar story for staff records (71%), visitor books (86%) and minutes from meetings (78%).
Carried out through OnePoll, the study found four in ten didn’t know the loss of paperwork could be a data breach. 36 per cent weren’t aware personal data posted, emailed or faxed to the wrong person could be a breach too.
Worryingly a third of owners said it would take their business a week or more to resolve a data breach. Almost 45 per cent have no insurance whatsoever in place to protect them against cyber or data risks.
Mallett added: “Such a significant proportion of businesses not having cyber insurance is a major worry. From talking to our customers we know that many simply can’t guarantee they’re able to successfully defend against a cyber-attack and that’s not necessarily their fault – even major corporations are vulnerable.
“How a breach is dealt with by a business is vital, though, and if it’s not done in accordance with GDPR that business could receive a significant fine as well as damaging relationships with customers and losing out on revenue.
“Cyber insurance means those businesses who unfortunately experience a data breach can at the very least rest assured that they have access to specialist support, ensuring a breach will be dealt with in line with GDPR requirements.”
Most common ways businesses are, or could be breaking GDPR rules:
- Allowing staff to use their own computers, tablets or phones for work purposes – if personal data isn’t encrypted
- Staff using papers diaries used for work purposes and containing personal information – major risk of them being misplaced or falling into the wrong hands
- Using training materials which feature full details of real-life case studies
- Using images which feature customers to promote your business
- Storing files which potentially contain personal data outside of a defined structure/naming system
- Using images to promote your business which feature members of staff wearing nametags
- Holding unencrypted CCTV footage where individuals are recognisable
- Recording customer calls which capture customer card details
- Visitors books where visitors can see other people’s information when signing in – such as names, the company they work for, their vehicle registration number etc
- Staff members circulating sponsorship/charity donation sheets