Is there a high risk of fines and sanction by the ICO?
There have been some very large £100m+ fines for British Airways and Marriott hotels from the ICO, and elsewhere in the EU, Facebook and Google have also been fined significant amounts.Fines set ‘an example’
The ICO continues to impose lower level fines but in small volumes, and generally more as an example to others. The threat remains if bad conduct is at scale and deliberately ignoring data protection rules, but more widely, businesses could be forgiven for thinking that consequences are unlikely to materialise. Before GDPR is relegated to the bottom of the pile, however, it is worth considering the business case. Compliance can bring several business benefits to SMEs in all sectors:1. Data mapping
One of the disciplines new to most businesses preparing for GDPR was understanding where personal data was held and why. Previously, hard copy filing, IT filing and archiving tended just to be added to when the last file was full. Most businesses tend to keep things just in case. In practice, this means far too much is kept and it is difficult to find important things.Throw staff turnover into the mix…
Staff turnover and a lack of filing discipline in common systems can cause even more confusion. The data mapping process can identify unnecessary duplication and redundant storage, making retrieval easier and saving on cost.2. Data security
3. Subject access requests
Under GDPR, individuals have the right to be provided with all data held by a business that refers to them. In this scenario, data ceases to become valuable and becomes a liability. It is like discovering a building has asbestos. The action to take is to get rid of as much asbestos as possible and then manage the remainder so that it is less of a threat. It is exactly the same approach with personal data. Some documents will need to be retained for legal reasons, financial ones for 6 years for example, but anything older can be disposed of. A retention policy will help inform activity and help to minimise costs.4. Understanding the legal basis
There are several legal bases for using personal data. The main areas relevant for most businesses are consent, contract and legitimate interest. It is important to know which basis you are relying on. Use of personal data by a website requires consent but employees and customers are far more likely to be covered by the contract.Think about the ‘risky areas
Marketing can be covered by legitimate interest. Each area requires a different legal basis and staff need to know which one applies to their responsibilities. This will cut down on unnecessary cries of “we can’t because of GDPR” but encourage the team to stop and think about the riskier areas. On this basis, an annual briefing on GDPR should save time and money.5. Confident marketing
GDPR isn’t a restriction…
Directors need to be confident that risks are being considered and managed. GDPR has proven a headache for businesses across all sizes and sectors, as few realise that putting GDPR-compliant processes in place can add value to their business and improve financial efficiency. Tackling the misconception that GDPR poses more restrictions than it actually does is a key step to create a healthier and more productive relationship between SMEs and the new regulation. In reality, there are good business reasons for every organisation to get GDPR ready.Share this story