Originally published on 18 July 2018
Updated 05 Nov 2021
May 2018 saw the European Union adopt a new set of data protection laws called the General Data Protection Regulation — now ominously known as the GDPR.
Since its inception, the UK government body responsible for cracking down on GDPR breaches, the Information Commissioner’s Office (ICO), has been busy.
When GDPR legislation was introduced, we were warned not to take the new regulations lightly. The fines, up to €20 million or 4% of annual global turnover (whichever is higher) were promised as not as a simple deterrent, but a real and genuine threat that the ICO would not hesitate to follow through with.
And the ICO, along with other international regulators enacting GDPR across the world, did not disappoint.
The fallout of GDPR has been, arguably, biblical. Businesses from the likes of Google to Marriott Hotels have been fined eye-watering sums of money. The largest fine on record is €50 million, doled out to Google for a variety of data protection violations. British Airways originally had the largest, of over €200 million, but the fine was later reduced to a mere €23 million.
Why Is GDPR So Harsh and So Rigidly Enforced?
The GDPR rules appear, on the surface, to be quite tough on businesses. The reality is that they’re pretty much in line with other forms of consumer protection and compliance fines.
GDPR is all about the rights of citizens — their rights as individuals, their right to privacy and their right to control how their personal information is used. As with other consumer-protection laws, the harsh fines and keen eye of regulators exist to ensure the rules are taken seriously.
The big difference here is that GDPR has finally meant we’ve caught up with the digital age, but this rapid change has been a bit of a shock to the system. Where once there were almost no regulations, now there are hundreds, all prepared to wreak havoc on your business.
Previous data protection laws governing businesses were implemented in the 1990s, a long time before mass-data collection, cloud storage and so on. The rules did not provide adequate protection to individuals, which meant their data could be used in a lot of ways they didn’t want.
After so many years of pretty relaxed data usage across the world, a serious shake-up was needed to change mindsets, along with serious consequences for flouting the rules.
The reason GDPR feels so harsh is that the landscape before it was a fairly lawless place — where personal data could be sold on a whim, and customers could be bombarded with marketing emails after sending a simple email query.
Does GDPR Apply to Small Businesses?
News-grabbing GDPR fines are always going to feature major corporate entities. The numbers are so apocalyptically large that it’s almost impossible to ignore them. Given the way that GDPR is built — and the way it is reported on — you’d be forgiven for thinking it is based solely within the realms of big corporate, that this personal data security measure is designed for those that store lots and lots of customer data.
Surely your small business, with only a few pieces of personal data stored compared to giants like Google, is not subject to the same gargantuan fines and eagle-eyed watch of the ICO?
GDPR covers all personal data of citizens of the European Union.
And if you’re thinking that this now means it doesn’t apply to those in the UK, you need to know that while GDPR was made law under the European Union, the United Kingdom — now having left the EU — follows UK GDPR, which is effectively the same set of regulations.
With that in mind, GDPR incorporates all personal data of any European or UK citizen, which means it applies to every business that stores data on these individuals, whether your turnover is £10,000 or £10 billion.
GDPR Applies to Small Businesses, but Could You Really Be Fined?
There is a big difference between application and execution. While GDPR might apply to your business, what are the chances the ICO will ever pay attention to you?
The probability is higher than you might think.
It’s fair to say that the ICO isn’t holding their punches for any organisation that breaches GDPR, and that includes SMEs. GDPR fines for small businesses actually make up the majority of fines brought up under the regulations. Here’s just a handful of a growing list of SMEs that have been fined by the ICO to date:
- Eldon Insurance Services Limited — £60,000. Trading as GoSkippy Insurance, the company was fined £60,000 for sending direct unsolicited emails without consent.
- Lifestyle Marketing, Mother & Baby Ltd. — £140,000. One of the earliest six-figure ICO fines given to a company hosting Emma’s Diary site. The company gave subscribers free advice on pregnancy and childcare but resold their personal information without their consent.
- Tax Returned Limited –— £200,000. This personal tax assistance firm was fined £200,000 for sending millions of unsolicited marketing text messages.
- DM Design Bedrooms Ltd — £160,000. This Glasgow-based bedroom design company was fined £160,000 for making 1.6m unsolicited calls to TPS subscribers.
- Alistar Green Legal Services — £80,000. This Liverpool-based legal services firm was fined £80,000 for 213 unsolicited phone calls to TPS subscribers.
- Secure Home Systems — £80,000. The company was fined for unsolicited calls made to numbers they obtained from a third-party list they purchased but did not screen to see if they had consent attached.
Clearly, the ICO means business.
GDPR Fines for Small Businesses: It’s Only Getting Worse
Our list is just the tip of the iceberg when it comes to small business GDPR fines. The website Enforcement Tracker claims to have tracked nearly 6 thousand GDPR fines since the regulations were introduced, most of which are targeted at SMEs.
What’s more, GDPR fines are not only increasing in regularity — as more people start to understand their rights and take action against rule-breakers — but the fines are set to become even higher figures. Znet reports that regulators are gaining more confidence in enacting GDPR, which means they are likely to start using more of the powers available to them, including fines closer to the maximum amount allowed.
Trends show fines increased by 40% in 2020 over 2019.
How Much Could My Small Business Be Fined for a GDPR Breach?
With figures going up, what kind of small business GDPR fine could you be facing in the event of a GDPR breach?
Even with numbers rising, the maximum fine of €20 million or 4% of annual global turnover is unlikely to be your final figure. GDPR.EU reports on a survey carried out using data from 91 GDPR fines, citing €66,000 as the average. With the small businesses identified as examples in this blog typically facing £60,000 to £80,000 fines, this figure appears to give us a good representation of the GDPR fines you could face.
So, while GDPR might not be new, it’s never been more important to avoid GDPR breaches. The potential cost of a breach to your small business is ramping up, and as the short history of GDPR shows, you are far from safe.
How Do Small Businesses Protect against GDPR Breaches?
As you might have noticed, unsolicited messages are the biggest issue with GDPR compliance where small businesses are concerned — as few as a couple of hundred have resulted in an £80,000 fine. Even unintentional breaches, such as using a purchased contact list from a third party, have led to enormous GDPR fines for small businesses.
The message is quite clear from the ICO — Organisations need to take GDPR seriously.
Elizabeth Denham, UK Information Commissioner, is quoted as saying:
“…For those who do not take this responsibility seriously or those who break the law, we will act swiftly and effectively. We are using the intelligence we have gained — from more than 40,000 data protection complaints since May 25 2018 and over 14,000 personal data breaches reported to us, as well as intelligence from other regulators and investigations we have instigated — to take robust action.”
But how exactly do you heed Denham’s warning?
Many of the organisations facing GDPR fines will have been under the impression they were GDPR compliant. The problem is that GDPR is so complicated and comprehensive — and such a change from what data protection laws used to be like — that it is seemingly impossible to keep up with expectations. A lot of these unsolicited messages were sent without malicious intent or design, simply a lack of understanding and ignorance of the rules they were breaking.
The simplest way to ensure absolute GDPR compliance is to get your processes audited by experts. If there are holes in your compliance measures, such as failing to gain the right form of consent before contacting consumers, the experts will find them.
Our IT consultancy services and cybersecurity services include GDPR audits and coverage. Optimising IT experts will evaluate your IT systems to find where you might be risking compliance problems that could lead to GDPR fines. We can then help you develop and introduce solutions to get yourself on the right side of the ICO.