European SMEs need to wake up to the threat posed by the humble Subject Access Request

European SMEs need to wake up to the threat posed by the humble Subject Access Request

Research suggests that owners and directors of EU SMEs need to do more to identify risks that could impact their business and this lack of awareness is greatest over the risks posed to small businesses by the forthcoming EU GDPR. One of the greatest threats might actually come from the humble Subject Access Request (SAR).

The research, collected from 1,000 SMEs in the UK, France and Germany for the Gowling WLG Digital Risk Calculator, consistently identifies data protection as one of the top threats to small businesses. But, in spite of this, only 14% of UK businesses were aware of the fines they may face, under the forthcoming EU GDPR, for failing to handle and protect their personal data properly. This compared with 26% of SMEs in Germany and 45% in France who were aware of the maximum fines that could be imposed.

Most small businesses see the principal threat as coming from a cyber attack leading to a data breach. But they are ignoring another more straightforward threat, the SAR. Any data subject can request a copy of all the information held about them which they believe is held by a company, no matter how small, and the company must comply with that request within a 40-day deadline.

To comply with the SAR the business will have to carry out an exhaustive search of all their data networks, which could include CRM systems, account managements systems, mailing lists and even staff e-mails. They may also have to ask staff to search their own records, obtain permission from third parties to disclose some information and maintain correspondence with the data subject about their request.

All of this can impose a significant burden on a small company and will force SMEs who process data to put in place a proper process for handling SARs, which they can show to the regulator if necessary.

SMEs who have not planned to properly comply with the data handling principles of the GDPR and the consequences of data breaches are risking their business. Which is why Crises Control has launched its regulatory compliance solution to help small businesses with GDPR compliance issues.

The solution ensures that SMEs can notify their staff, customers or the regulators of a data protection incident quickly and reliably. And it also requires recipients to acknowledge delivery of the message and the accompanying documents, so creating an audit trail should this be needed at a later date.

But Crises Control has now gone even further by creating its own SAR process as an incident on the platform, so that customers can simply launch an incident when they receive a SAR and use it follow through the process in each case. The SAR Incident provides the complete template SAR compliance process and records all steps taken along the way. This SAR Incident template is available for free to all Crises Control customers as part of their subscription.

If you are worried about the GDPR, our latest white paper “Keep your business safe from regulatory fines” offers advice on how an incident notification solution can help you to avoid fines and other sanctions from regulators following an information security breach.