Awareness of data protection law is at an all-time high, and complaints to the ICO have doubled since the GDPR came into force. The ICO has not yet used its new scary fining power, but their maximum fine has gone from being just £500,000 to €20m: 33 times higher, and it is only a matter of time before they will find some unlucky business guilty of a breach.
It is worth noting what businesses have been fined for in the past.
Lack of appropriate security measures
Under the GDPR, businesses are supposed to consider what is appropriate security for the personal data they are handling, and put the appropriate measures in place. In the past, organisations have been caught out by not having thought through their security well enough. For example, Heathrow Airport had not trained its staff not to leave unencrypted USB sticks lying around, and the University of Greenwich had no policy of taking down microsites created by students after they were no longer needed.
Lack of valid consents to receipt of marketing
Under the GDPR, the bar for consent is much higher than before, and, even before, people were caught out by not having valid (compliant) consents in place, before sending out mass marketing. The consents need to be specific, informed, no conditions should be attached to them, and they need to be indicated by a clear affirmative act. If an individual did not know that they were giving consent to receipt of marketing from a particular company, or was forced in any way into giving it, the consent will not be valid.
Failure to register and pay the ‘data protection fee’
It is still a legal requirement to register with the ICO, and to now pay a small fee, if you carry out certain activities. For example, if you use CCTV for crime prevention, you need to pay the fee. The ICO can fine you for not doing so, and I am finding that awareness of the need to register is low.
Does your business need GDPR help?
If you have concerns about how GDPR is managed in your businesses, don't hesitate to get in touch with your questions.