SMEs Hit by Cyber Attacks Could Face Hefty Penalties under the GDPR

UK SMEs that suffer data breaches of any kind after May 2018 could be hit with hefty penalties under the upcoming General Data Protection Regulation (GDPR).

The GDPR – which is set to effectively replace the outstanding Data Protection Act 1998 from 25 May 2018 – will change data protection legislation in the UK and Europe as we know it, and will bring with it a series of new rules and regulations.

Businesses of all shapes and sizes will be expected to demonstrate that they are actively taking steps to protect themselves and their clients’ data from cyber attacks or breaches.

SMEs that are hit by cyber crime will be expected to inform both the authorities and the customers whose data has been accessed.

Fines under the GDPR are very high – and any business that suffers a significant data breach and therefore fails to adequately protect the customer data it holds could be required to pay up.

The maximum fine that can be issued for a serious ‘Tier 1’ data breach under the GDPR is £17.5m or four per cent of the company’s global turnover, depending on which is greatest.

SMEs are being warned to step up their cyber security before the new legislation takes effect – and also to think very carefully about how they process and protect their data.

Businesses deemed both ‘controllers’ and ‘processors’ of data will be expected to be GDPR-compliant, meaning that all businesses that hold client records will be affected by the new legislation.