This blog has been written to help SMEs who are concerned about the scale and impact that data protection fines could have on them. If you’re a small business owner, sole trader, director of a small charity, company, or group, or if you run a small school or town council, these tips will be relevant for you, too.
We know that thousands of small businesses and SMEs are doing their best to understand and comply with data protection law, and we want to help. That’s why our focus is on supporting and enabling you to comply, and not on fines.
To help you plan your next steps with confidence, here are some examples of why data protection fines can happen and what you can do to avoid finding yourself in a similar situation.
Being irresponsible with people’s data
If you don’t take adequate security measures to prevent or contain a serious personal data breach, this could lead to a fine. This is because it’s the law to protect people’s data if you’re a controller.
There are a number of steps you need to take to show you take your responsibilities seriously – some are straightforward, while others take a little more thought and planning. The ICO can’t tell you what to do. You need to decide for yourself how you’ll handle people’s personal data from the moment you collect it through to destroying it securely, and consider everything that could happen to it while it’s under your control.
Seeing data protection as a one-time exercise
Generally speaking, the sorts of SMEs and small organisations who see data protection as a one-off box-ticking exercise are the sorts of organisations that often come unstuck.
Taking responsibility for the personal data you collect, store and use will help you to avoid a fine.
For example, if you think about health and safety law, you must make sure people are safe and protected – now and in the future. You can’t write one health and safety policy and assume it will see your company safely through many years of operations.
It’s the same with data protection. Your systems, people and ways of working change all the time. As a responsible employer, it’s your duty to assess and manage the risks you face on an ongoing basis.
Getting caught out by PECR
If you look at the action we’ve taken, many fines for SMEs have been in relation to direct marketing. Essentially if you want to use any sort of electronic communications methods like email, telephone, or text messages to tell people about your products, services, ideas, or to raise funds, you’ll need to think about the Privacy and Electronic Communications Regulations (PECR) as well as data protection.
You’ll need consent, unless you can use the ‘soft opt-in’, if you want to send marketing messages by fax, email, text or any other type of electronic mail. And it has to be fully informed consent: pre-checked boxes that the customer has to uncheck aren’t enough. Customers can also withdraw their consent at any time.
Before you call people with marketing you’ll need to check they aren’t registered on the TPS or have previously asked you not to call them, so you’ll need to think about that too.
Waiting until something goes wrong before taking action
You need to demonstrate your data protection compliance on an ongoing basis and should take steps to get it right first time.
If things go wrong, we’ll take into account any sensible steps you’ve taken to mitigate the risks to people’s personal data, based on your understanding and assessment of the risks. But if you don’t have a track record of working to comply with data protection law, it won’t be easy to demonstrate how you’ve handled personal data in ways that are lawful, fair and transparent.
We know that this is exactly what many businesses want to do, and we’re here to help.
Failure to renew your data protection fee
All companies have to register and pay a data protection fee to the ICO, unless exempt. You can use our self-assessment tool to check if you need to pay a fee and this only takes a few minutes. If you need to pay – and don’t pay – you could be fined.
The data protection fee funds our work to provide help and support.
We’re here to help
If you’re worried about fines or aren’t sure how to comply with data protection law, we can give you some pointers. Our dedicated team of experts are on hand to offer advice and support through our helpline and live chat service for small organisations, which is open Monday-Friday from 9am – 5pm (excluding bank holidays).
So if you’re a small business owner, a sole trader or a small organisation of any type and you have limited resources for data protection compliance, don’t struggle – get help and support if you need it.
Also see:
- What happens when the ICO receives a complaint about my small business?
- Why can’t the ICO tell me what to do?
- Your beginner's guide to data protection
- What security measures do we need to put in place?
- How to deal with data protection complaints you receive as a small business
- What happens when the ICO received a complaint about my small business?