Giant GDPR fines issued – What does this mean for SMEs?
With the latest eye-watering fines issued to BA (£183m) for a cyber-security incident leading to customer details being harvested by attackers, and a fine in excess of £99m for the Marriott for the failure to “undertake sufficient due diligence when it bought Starwood (hotel group) and should also have done more to secure its systems.” It’s clear to see that the ICO are cracking down on organisations breaching GDPR regulations but it’s not just high profile multinational organisations in the firing line. The ICO has been distributing fines in excess of £60,000 to a whole host of SMEs found to be in breach of GDPR.
SMEs fined for GDPR breaches
It’s fair to say that the ICO aren’t holding their punches for any organisation that breaches GDPR and that includes SMEs. Here’s just a handful of a growing list of SMEs that have been fined by the ICO to date:
- Eldone Insurance Services Limited – £60,000. Trading as GoSkippy Insurance was fined £60,000 for sending direct solicited email without consent
- Lifestyle Marketing, Mother & Baby Ltd. – £140,000. One of the earliest six-figure ICO fines of £140,000 given to company hosting ‘Emma’s Diary’ site giving subscribers free advice on pregnancy and childcare but reselling their personal information without their consent. “The data broking company, which provides advice on pregnancy and childcare, sold the information to Experian Marketing Services, a branch of the credit reference agency, specifically for use by the Labour Party. Experian then created a database which the party used to profile the new mums in the run up to the 2017 General Election.”
- Tax Returned Limited – £200,000. Personal tax assistance firm was fined £200,000 for sending millions of unsolicited marketing text messages
- DM Design Bedrooms Ltd – £160,000. Glasgow based Bedroom design company was fined £160,000 for 1.6m unsolicited calls to TPS subscribers
- Alistar Green Legal Services – £80,000. Liverpool based legal services firm was fined £80,000 for 213 unsolicited phone calls to TPS subscribers
- Secure Home Systems – £80,000. Fined for unsolicited calls made to numbers they obtained from a 3rd party list they purchased but did not screen to see if they had consent attached
The ICO means business
There are many others to add to the growing list, in particular where unsolicited calls are made – as few as a couple of hundred have resulted in an £80,000 fine, and even unintentional breaches such as using a purchased contact list from a third party assuming it was vetted when it wasn’t resulting in an £80,000 fine. The message is quite clear from the ICO, that organisations need to take them seriously as fines and legal costs amount to some seriously large fines even for small numbers of infringed individuals.
“…For those who do not take this responsibility seriously or those who break the law, we will act swiftly and effectively. We are using the intelligence we have gained – from more than 40,000 data protection complaints since May 25 2018 and over 14,000 personal data breaches reported to us, as well as intelligence from other regulators and investigations we have instigated- to take robust action.” – Elizabeth Denham, UK Information Commissioner.
So it’s worth remembering that organisations are not only required to adhere to the principles set out in the GDPR, but must also demonstrate compliance. If you’d like further advice on GDPR or to discuss how you can reduce your Cyber-security risk, contact our Cyber-security team today on (0)1242 505 470 or email us.