After the 25th of May…
So the 25th May came and went. No drama, you haven’t seen anyone from the ICO knocking on your door, right? Phew! Let’s put this GDPR thing on the back burner until we have to!
Has anyone thought about that?
Possibly quite a few of you. And that’s possibly understandable, as businesses need running, profit needs generating, and time is a precious resource; especially for a small or micro business.
But the thing is, the GDPR is now part of UK law, as reinforced by the UK Data Protection Act 2018 which was given Royal Assent just ahead of the GDPR enforcement date. If you have yet to make a start, you are actually breaking the law. Which is definitely going to be a problem sooner or later, whether you like it or not.
If you get a minute, take a look at the ICO website and see what they have been doing in the background over the past months. Among other things the ICO, since (and before) 25th May have been investigating companies for data breaches, and levying penalties and fines. Up until the 24th May, these were lesser fines than under the new data protection rules. And you might be surprised at the variety and size of companies that have been caught, made an example of and hit in the pocket with a fine.
It is also interesting to see what errors, activities and breaches the companies have been fined for: sending spam emails and texts, contacting people registered with the Telephone Preference Service, nuisance calls, data security breaches, loss of video evidence, not protecting identities and more. Not all of these actions were intentional, many were accidental or down to human error, but the fact that penalties were issued shows that mitigation is rarely going to bring your liability down to zero.
With the ICO ramping up activity, thanks to an increased focus on revenue-generating registration fees (and no, they don’t keep the fines they issue, fines go to HM Treasury via the Consolidated Fund as the ICO takes pains to point out), more staff and increased powers, we can expect much more of the same.
No business is infallible, regardless of size, so whilst your small business may be flying under the radar now, ask yourself if the business risk makes it worth flying so close to the wind. Would you do the same when it came to evading HRMC for tax law, or the HSE for health and safety legislation? And if the answer is ‘yes’, ask yourself if this is a good selling point for your business and brand, in an age where trust (for your customers, employees and business partners) is a hard currency to trade in.
Take a look at your processes
The good news is, you can still make a start and take a good, hard look at your current data compliance. It’s a good idea to understand what you do with people’s data, and why, as well as considering what you need to do to bring your business activities up to speed with GDPR requirements. You might be surprised as to the extent that you are in breach of GDPR, without knowing it. That’s where the risk lies.
There are tools and people to help you get it right, with service offerings and packages to fit your budget. At Sphere Data Protection we do exactly that – provide the tools to help you get it right, so that you know how to keep your business on the right track, and in line with data protection law. Publicity is usually good for businesses but an entry onto the wall of shame on the ICO website would have the opposite effect.