Smaller businesses might think that they are not required to register for data protection.  They would be wrong to make that assumption.  Since GDPR the Information Commissioner’s Office has been actively pursuing businesses to register.

The activities for August 2019 detail the penalty notices issued for non-payment of the registration fee.  They cover a variety of sectors: property management, tax and accountancy, insurance brokers, marketing, health and social care companies, travel firms, private investigators and protection services, children’s day care, laundry services, schools, recruitment agencies, training and therapy, and assorted consultants.  Fifty eight penalty notices were issued in that one month.  Many more businesses would have been contacted in addition prior to taking action if no payment were made.

The statistics show that the ICO is pursuing all businesses regardless of size, consistently, month after month.  The quarter from 1 October to 31 December 2019 (the latest figures available) showed that 177 organisations were issued with a monetary penalty of £400, 19 organisations with £600 and 8 with a £4,000 penalty.  Again this is the tip of the iceberg as many more businesses would have been contacted with an enquiry about their registered status.

What you need to do now

Make sure your business is registered for data protection unless it is exempt.  Size is not an exemption.

Create records to meet the regulatory standard set out in GDPR.

Be aware of the data protection principles, make sure that staff have training and that there are policies and procedures in place to support compliance.  The key ones are:

  • Data Protection Policy
  • Personal data security reporting procedure
  • Subject rights procedure
  • Data retention procedure
  • Procedure for using third party service providers
  • Data sharing procedure

Don’t ignore data protection.  The consequences of non-compliance are significant, not just fines but the impact on reputation leading to loss of customer or client trust and always the management time you will need to handle complaints, put out positive PR, respond to regulator’s enquiries which will take you away from running your business.  Act now and demonstrate that you understand data protection responsibilities and obligations, it is the best course of action.  Call us if you would like help.

Mandy Webster, Data Protection Consultant