*This post may contain Affiliate Links which means we may earn from qualifying purchases you make via our website. Check out our Affiliate policy and what this means here.
It has been over two years since GDPR became a new data security standard. While enterprises and large businesses have ensured they are compliant (for the most part), looking at small- and medium-sized businesses reveals a situation that is far worse.
Even after two years, SMEs are not compliant
According to the GDPR Small Business Survey from May 2019, only 44% of SMEs said they state their data processing in clear and plain language to data subjects, something that’s required by the regulation, while 22% admitted they do NOT use technical solutions to protect personal data.
A DMA survey revealed that 38% of SMEs find that they don’t have to comply with GDPR for the customer data they process and acquire.
Everyone can be prosecuted and fined
This is a large misunderstanding, as GDPR covers every type of business, even freelancers and individuals within an organisation.
There have been documented instances of individuals, staff members, and small businesses being fined and prosecuted for not complying with the regulations.
So what types of fines can you expect? Here are some examples of breaches for which SMEs and individuals were fined by ICO.
Blocking of information
A town clerk at Whitchurch blocked records from disclosure after a valid Freedom of Information (FOI) request was placed. She received a fine of £400 but had to cover the court costs as well.
A social worker was fined £483 after unlawfully disclosing referrals for foster placements of young people, while a managing director of a claims management company who obtained personal data and sold it unlawfully had to pay £1,050. Even worse, he cannot be a director for the next five years.
Unlawful access to information
Many GDPR breaches are revealed after internal investigations within an organisation, when the organisation has the option to report the staff member who made the offense, which is what happened to the social services support officer in Dorset County Council after it was revealed they accessed social care records without having any business reason to do so. They were fined, faced a conditional discharge, and had to pay £700 for it.
Contact without consent
Contacting potential customers without making sure they want to be contacted can result in a big fine too. A boiler replacement company was fined £160,000 because they were spam calling people registered with TPS. They weren’t the only ones fined for this action. Others include a funeral home, a home security company, one more home security firm, and a legal services firm.
Non-disclosure by third-party operators
People must specifically give YOU the approval to send any type of promotional or marketing materials. The same rule applies even if you are working with third-party operators who handle your marketing.
Simply put, they must disclose your organisation at the point of consent to their subscribers, and that they might get emails from you. A vague statement that marketing might come from “similar organisations, third parties, or partners” is NOT enough, as a Kent pensions company found out after they were fined £40,000 for over 1.9 million direct emails, even if they didn’t do so deliberately.
This particular case demonstrates clearly that your GDPR compliance is only as good as that of your partners. If any of the partners violates the GDPR act, you could be held accountable as well.
Vulnerable physical records
And it’s not about the security of digital records only, physical records that hold sensitive information are under the strict GDPR rules too. A pharmacy from London was fined £275,000 because they left 500,000 documents unsafe with easily accessible containers without a lock. So make sure your records are kept, and disposed of, in a GDPR-compliant manner.
Whether you are a large business, a small one, just a staff member, or a freelancer doing your own thing, you are NOT exempt from the GDPR. Make sure you are compliant. If you’re not sure where to start, check out our GDPR checklist for your home office: