In this article, I share my thoughts on “what’s the worst that can happen” if you’re not GDPR-compliant on the 25th May 2018, following several days of research, including trawling through the ICO website and watching a couple of webinars/seminars hosted by industry experts and thought leaders. It’s also based on founding and running several companies for over 15 years and experiencing previous government initiatives not really achieving much, such as cookie policies, usability for disabled users or displaying call costs for certain telephone numbers.
First up, if you store client information on a PC you need to register with the ICO. Need clarification? There is a self-assessment form you can fill-out on the ICO website https://ico.org.uk/for-organisations/register/self-assessment/.
“Damn, we’re not registered, what is going to happen?”
Well, the maximum fine for not registering with the ICO is £4350:
However, this is based on Tier 3 companies:
In reality, the fine (if one ever materialised) would more likely to be £60 to £90 for not registering, based on 150%. And the likelihood of a fine ever materialising is slim. Why?
There are around 6 million companies in the UK (5.7 million in 2017, from Briefing Paper #06152, dated 28 December 2017 on www.parliament.uk).
How many of those companies are registered with the ICO? According to the ICO website, over 500,000 “Data Controllers”:
However, many of these are in the Public Sector. My guess is that less than 1% of businesses are registered with the ICO, yet (another guess coming up here…) 80% of them are legally required to register, as they store personal information digitally.
So let’s look at the decisions and enforcements, to see if this can shed some more light.
There have been 1321 decisions in the past 12 months, of which of which 633 complaints were upheld (48%), and 11,355 in total, of which 4687 complaints were upheld (41%). But again, this relates to the public sector.
As for enforcements, just 94 listed in 2017 and only 54 of these were monetary.
So less than 1 in 105,000 companies (or 0.0009%) have received a monetary enforcement against them in the past 12 months. Take a look at the cases listed on the ICO website https://ico.org.uk/action-weve-taken/enforcement:
The majority are public sector and blue chip organisations or companies sending bulk, unsolicited emails or making 100,000+ nuisance calls. Not your average SME’s, working hard (and hopefully smart) to make an honest living.
So what’s the real purpose behind GDPR and who is it aimed at? In my opinion:
- To stop big companies becoming complacent with your data. (e.g. TalkTalk)
- To stop opt-in being pre-filled.
- To stop rogue or untoward companies disrespecting your privacy.
i.e. to deter the likes of companies listed on the ICO enforcements page. In all honesty, I can only see this improving points 1 and 2; there will always be rogue and untoward companies out there.
So to summarise, saying “Screw GDPR!” and doing nothing is of course an option. However, as best practice, its appearance is a good time to review the personal data you hold on clients, prospects, employees and suppliers etc. and ask:
- What data do we hold?
- Do we have a legal basis to hold and process this data?
- Is the data secure?
- Can we detect data breaches and do we need to report them?
- Can we handle Subject Access Requests and delete personal data where appropriate?
- Are we respecting the communication preferences of the people we hold information on?
At 2able we aim to lead by example; as such we have registered with the ICO and are updating our website accordingly. If you’d like to do the same and would like us to run an audit over your site, please get in touch.