Barely a month goes by without the ICO (Information Commissioners Office) in the UK issuing fines to UK businesses for beach of GDPR. Just this autumn fines have been issued ranging from £20,000 to £200,000. The businesses range from ones you may not have heard of to household names like Saga Insurance, Papa Johns & Sports Direct. Recently the Norwegian equivalent of the ICO fined the company running the toll collection points the equivalent of over £400,000. Their Data Protection Regime is similar to ours – based on GDPR.
Here are some of the stories leading to the fines.
The Norwegian company runs toll collection points and it was found was passing data on the vehicles to a data processor in China. It was found that it had failed to establish a data processing agreement, to carry out a risk assessment and also lacked a legal basis in China for the processing of personal data. These are all basic responsibilities under relevant data protection legislation, and these requirements must be met before the processing of personal data can take place.
Saga was fined for sending unsolicited direct marketing messages without the recipients’ consent.
The same for Papa Johns & Sports Direct.
Mermaids, a charity in Scotland, was fined when it was discovered that they had failed to protect an internal email group with the result that about 780 pages of confidential emails to be openly viewable online for nearly three years. This led to personal information, such as names and email addresses, of 550 people being searchable online. During the investigation the ICO discovered Mermaids had a negligent approach towards data protection with inadequate policies and a lack of training for staff. It should have revisited its policies & procedures to ensure they remained up to date and fit for purpose.
Themes we can see is the need to have the right policies and procedures in place: keeping them up to date; reviewing their application to the changes in your business; training staff and ensuring that the training is up to date; testing that your policies & procedures are actually being followed.
Most businesses are now handling a lot of personal data: of staff and or customers/clients. So much more business is done on-line. Where is this handled? If you use a software system to help you, do you know where the data is all the time? In the case of the Norwegian company it went to China. Could it be going to the USA? A lot of software is based there.
Above are just a few examples resulting in recent fines. As ordinary people, we are concerned that data about us is handled properly and the GDPR is there to protect us. As businesses it’s quite a job to keep on top of this as well as finding customers, doing the work, getting paid, managing your staff etc. You may have heard that businesses can appoint a DPO (Data Protection Officer) to help. However, that is a senior appointment and the salary would normally reflect that. For some businesses that will be a mandatory appointment due to the nature of the data they handle. Some may have their investors insisting they have DPO. But for many smaller businesses the appointment of a DPO is overkill and too expensive. However, you can just hire an expert for a limited number of hours a week or month to assist you. That makes it more affordable.
If that sounds like it’s more doable, then fill in the form below and we can reach out for a free, no-obligations chat. Or you can explore a bit more here: https://www.hunningsconsultancy.co.uk/gdpr-support/ or call Ingemar Hunnings on 07887 524507 or email: [email protected]