A survey commissioned by Aon. Chris Mallett, a cybersecurity specialist said: “As the results show, many businesses could be in breach of GDPR – most likely without even realising it.
“Visitors books, allowing staff to use their own mobiles for work purposes and even seemingly minor things like distributing sponsorship forms around the office carry risk, yet these sorts of things are commonplace among businesses big and small.”
But we all know that not knowing the rules is never seen as a valid excuse, so read on to see if you’ve made these common security mistakes. They could see your small business slapped with a fine running into the millions.
Top 10 Common GDPR mistakes small businesses make include:
- Letting staff use their own computers. More than a quarter of businesses surveyed made this mistake. Letting your staff use their own laptops and devices for work purposes allows unencrypted customer and employee personal data to be stored at home.
- Keeping a visitors book is a mistake. It’s a seemingly harmless way for guests to note their visit to your place of business, especially if you’re in the hospitality industry. But the problem is that this presents visitors with freely available information on others.
- Keeping a paper diary might be preferable to doing everything on a screen for some business owners. But as it could include private details about customers, this too poses a privacy risk.
- Circulating printed sponsorship forms. This is a clear GDPR contravention, as printing and distributing sponsorship forms tends to include names and addresses of individuals.
- Training materials that reveal the full details of featured individuals.
- Distributing promotional images of employees that display their unobscured name badges.
- Not disposing of paper records properly.
- Paper records were another hazy area for those surveyed. The results revealed that not all small businesses are aware of their responsibility to get rid of paper records securely and confidentially. More than half aren’t aware of their obligation to get rid of paper customer records. That figure jumps to 71 per cent for staff records, 78 per cent for meeting minutes, and 81 per cent for visitor books.
- Businesses don’t realise that losing paperwork can count as a data breach.
- Posting, emailing, or faxing personal details to the wrong person could also be a breach, according to the Independent.
Did you know that you’re obliged to notify your Information Commissioner’s Office, as well as all those affected, if your business has a data breach that affects individuals’ rights? 60% of small business owners polled didn’t.
AON | Chris Mallett