Since the start of the COVID-19 pandemic, there has been a significant rise in cyber breaches as staff work from home on less than secure devices, and of personal complaints to regulators about abuses of personal data by businesses. More and more know their rights and are happy to assert them and take any business to court.
The UK Government’s own analysis is that over 54% of all small to medium-sized businesses suffered a data breach last year (and even that may be an underestimate) but most don’t know they have been breached as they do not have the technical ability to spot it. Not all breaches are ransomware.
So a business that has been active for more than two years has been, statistically speaking, breached and lost personal data. The interesting legal point here is that civil claims are won on the “balance of probabilities” so anyone could bring a claim for loss of their personal data against a 2-year-old business, because they probably have lost it, and that’s according to the Government itself.
So would it be a good idea to become GDPR compliant as that includes measures to secure your business against data loss and breaches?
All businesses know about GDPR but most do no more than register with the Information Commissioner, and that requirement isn’t even part of the GDPR Rules!
It’s true that there is a lot to do to become GDPR compliant, but the smaller you are and the less complex, the less complex it all becomes. That is the good thing about GDPR, it does slide to fit the size of the business.
You could be a £1 billion business (we know one) that is incredibly simple from a personal data perspective (it has almost none) so it complies easily.
We know two-man bands that harness the power of the Cloud and multiple apps located all over the world to carry out complex processing on the data of millions of people – that is an altogether different ballpark and they have a lot to do in order to be GDPR compliant. So it depends on your business how complicated it all is.
Studies have shown that there is pain in implementing the rules, but that it is worth it. A study by Cap Gemini in 2020 showed it increased staff morale, customer satisfaction, retention and profitability.
We find that altering the way GDPR is looked at helps. When we broke it down into its parts, it is about being efficient with data. Only collect precisely what you need, know what you are going to do with it before you collect it, get rid of it as soon as it has no use, know where you are going to process it and who with, and keep it secure (just like your premises).
Once GDPR is looked at this way, it becomes easy to understand and implement.
Who do I want to do business with – a business that obviously cares about my personal data and shows it, or one that clearly does not? GDPR helps businesses do the things that reveal to the customer whether they care about them or not, that is why compliance increases customer retention and profitability. It makes you more competitive, it gives an advantage.
The other side of that coin is this – not complying with the rules effectively gives every customer a claim for compensation the second their personal data is collected or shared. If a business has 5,000 customers and each one has a claim of just £1,000, that amounts to a lot of lost profit. In accounting terms, this has to be shown in the accounts. Whilst that reduces the obvious value of the business, it can also be used to reduce Corporation Tax (an interesting by-product). However, recent reports have shown that buyers are less willing to take the risk of buying a non-compliant business (according to Locktons Oct 2020 over 55% of the deals they insured ended unsuccessfully due to GDPR issues), so that means the business is effectively worthless. Not a great value to sell to shareholders.
To sum up, GDPR compliance has become a necessity for UK businesses. Any company that claims they're not worried, well, they should be, as it means they are becoming increasingly uncompetitive and increasing the value of liabilities whilst reducing the sale value of their business. Looking after your data, understanding it and complying with the regulations is key for your business.
As mentioned above, the interesting by-product of not being compliant is that businesses have overpaid Corporation Tax since GDPR came into force. You can recover overpaid tax in the normal course of business, and in this case use some or all of it to pay for what you need to become compliant, and increase the value of your business into the bargain.
Corporation Tax Rebates is the UK’s First Corporation Tax Recovery Service Based on Data Risk Compliance. If you have paid more than £20,000 in Corporation Tax in the last two to three years, we can help you claim the overpaid tax back. Our team can help you mitigate financial and data risk through GDPR compliance, relieving your business of these challenges and increasing the value of your business.