Michelle Rodger: Informed choices on compliance can pay big rewards
But have you – as business owners – seriously considered the implications of non-compliance? The massive fines and potential sentences? Or do you just take your chances?
Then consider this alternative. Have you ever viewed compliance as an opportunity, a USP, a differentiator, a competitive advantage? Or used it as a marketing tool, or to leverage loyalty and build trust?
I suspect not. The current information about compliance and data security legislation is all negative. It's about promoting fear of the consequences of not doing what you are told, but I suggest the opportunities could outweigh the disadvantages.
And let's be straight here, the forthcoming "opportunities" are imminent and significant.
The UK Bribery Bill will introduce a new offence of corporate negligence punishable by unlimited fines and up to ten years in prison. KPMG estimates fewer than 40 per cent of UK firms have adequate procedures in place.
A maximum fine of 500,000 for a breach of the Data Protection Act has been proposed by the government. That's a major worry when you learn that not one of the UK's top 50 e-commerce sites complies with the Information Commissioner's best practice guidelines and the majority breach either the act or the Privacy and Electronic Communication Regulations 2003.
Right now, across Scotland, there are hundreds of web-based businesses facing hefty fines because they don't even know about the new PCI compliance legislation, let alone implementing it.
The Payment Card Industry (PCI) Security Standards Council was founded to crack down on payment card fraud. Larger e-retailers have long had to meet rigorous PCI standards but smaller online retailers have only been obliged to comply since October 1. Under the new rules, merchants processing fewer than 20,000 e-commerce card transactions a year could face a block on payments or risk substantial fines if they do not meet the new requirements.
According to Kate Little of multi-media firm Channel 6 it's not always a quick fix either. While many e-commerce sites may need little more than a simple scan and a few basic updates, some older sites may need to be rebuilt.
Possibly the most worrying factor, however, is that the web design industry isn't regulated. According to Sarah Dougan, founder of e-securityexchange.com, your company's website was probably designed and developed by people that don't have any training or experience in compliance whatsoever.
Dougan believes this is the next area that needs to be addressed. "How on earth are business owners expected to comply with legislation when the very tools they use to run their business are being developed by designers who don't understand the security implications and haven't been trained?"
But it's not all bad. Honestly. If you can take on board the legal requirements – which are relatively straightforward and aren't necessarily financially prohibitive (just see the ICO website for the eight principles of data protection) – and you believe the customer is king, then you can turn this to your advantage.
Like Channel 6's Little, who says the new PCI measures are a good way of securing customer confidence and business reputation, Tim Beadle believes winning trust through permission-based marketing and then following through on customer service will be a key differentiator for SMEs.
Marketing and data privacy consultant Beadle has developed techniques for using compliance and data privacy as a means of increasing sales, through enhanced consumer confidence and a more rigorous approach to data management.
Playing "fast and loose" with e-mail marketing lists has resulted in the weakened power of what, used properly, is arguably the best marketing tool ever created, says Beadle. If you are using e-mail marketing, you must consider it a consent-based medium and genuinely seek an "informed" consent in the first place.
An e-mail validation campaign designed to re-energise tired e-mail addresses and eliminate those wasting your bandwidth is the starting point. "While your e-mail volumes will fall, business from those e-mails will climb," says Beadle.
The new Information Commissioner Chris Graham has made it clear he will be "naming and shaming" companies that fail to comply.
The bottom line is it's all about trust and the power of the consumer. Lose that trust and at the very least you will lose a customer. At worst you could lose your business.