Barely a month goes by without the ICO (Information Commissioners Office) in the UK issuing fines to UK businesses for beach of GDPR. Just this autumn fines have been issued ranging from £20,000 to £200,000. The businesses range from ones you may not have heard of to household names like Saga Insurance, Papa Johns & Sports Direct. Recently the Norwegian equivalent of the ICO fined the company running the toll collection points the equivalent of over £400,000. Their Data Protection Regime is similar to ours – based on GDPR.
Here are some of the stories leading to the fines.
The Norwegian company runs toll collection points and it was found was passing data on the vehicles to a data processor in China. It was found that it had failed to establish a data processing agreement, to carry out a risk assessment and also lacked a legal basis in China for the processing of personal data. These are all basic responsibilities under relevant data protection legislation, and these requirements must be met before transferring personal data to any third country can take place.
Saga was fined for sending unsolicited direct marketing messages without the recipients’ consent. In many cases it is illegal to send marketing emails unless you have the recipient’s consent.
The same for Papa Johns & Sports Direct.
Mermaids, a charity in Scotland, was fined when it was discovered that they had failed to protect an internal email group with the result that about 780 pages of confidential emails to be openly viewable online for nearly three years. This led to personal information, such as names and email addresses, of 550 people being searchable online. During the investigation the ICO discovered Mermaids had a negligent approach towards data protection with inadequate policies and a lack of training for staff. It should have revisited its policies & procedures to ensure they remained up to date and fit for purpose.
Themes we can see include the need to have the right policies and procedures in place: keeping them up to date; reviewing their application to the changes in your business; training staff and ensuring that the training is up to date; testing that your policies & procedures are actually being followed and ensuring adequate security measures are in place.
Most businesses are now handling a lot of personal data: of staff and or customers/clients and suppliers. So much more business is done on-line. Where is this handled? If you use a software system to help you, do you know where the data is all the time? In the case of the Norwegian company it went to China. Could it be going to the USA? A lot of software is based there.
Above are just a few examples resulting in recent fines. As ordinary people, we are concerned that data about us is handled properly and the GDPR is there to protect us. As businesses it’s quite a job to keep on top of this as well as finding customers, doing the work, getting paid, managing your staff etc. You may have heard that businesses can appoint a DPO (Data Protection Officer) to help. However, that is a senior appointment and the salary would normally reflect that. For some businesses that will be a mandatory appointment due to the nature of the data they handle. Some may have their investors insisting they have DPO and many choose to do so voluntarily. But for many smaller businesses the appointment of a DPO is overkill and may be too expensive. However, you can just hire an expert either as a part-time DPO or just as external support to help you get and remain comliant, and to give you peace of mind. This can often be for a limited number of hours a week or month. That makes it more affordable.
If that sounds like it’s more doable, then you can explore a bit more here: https://www.hunningsconsultancy.co.uk/gdpr-support/ or call Ingemar Hunnings on 07887 524507 or email: ingemar@hunningsconsultancy.co.uk