Quick fix data protection compliance for SMEs

Smaller businesses might think that they are not required to register for data protection. They would be wrong to make that assumption. Since GDPR the Information Commissioner’s Office has been actively pursuing businesses to register.

The activities for August 2019 detail the penalty notices issued for non-payment of the registration fee. They cover a variety of sectors: property management, tax and accountancy, insurance brokers, marketing, health and social care companies, travel firms, private investigators and protection services, children’s day care, laundry services, schools, recruitment agencies, training and therapy, and assorted consultants. Fifty eight penalty notices were issued in that one month. Many more businesses would have been contacted in addition prior to taking action if no payment were made.

The statistics show that the ICO is pursuing all businesses regardless of size, consistently, month after month. The quarter from 1 October to 31 December 2019 (the latest figures available) showed that 177 organisations were issued with a monetary penalty of £400, 19 organisations with £600 and 8 with a £4,000 penalty. Again this is the tip of the iceberg as many more businesses would have been contacted with an enquiry about their registered status.

What you need to do now

Make sure your business is registered for data protection unless it is exempt. Size is not an exemption.

Create records to meet the regulatory standard set out in GDPR.

Be aware of the data protection principles, make sure that staff have training and that there are policies and procedures in place to support compliance. The key ones are:

Data Protection Policy
Personal data security reporting procedure
Subject rights procedure
Data retention procedure
Procedure for using third party service providers
Data sharing procedure

Don’t ignore data protection. The consequences of non-compliance are significant, not just fines but the impact on reputation leading to loss of customer or client trust and always the management time you will need to handle complaints, put out positive PR, respond to regulator’s enquiries which will take you away from running your business. Act now and demonstrate that you understand data protection responsibilities and obligations, it is the best course of action. Call us if you would like help.

Mandy Webster, Data Protection Consultant

About the Author: mandy.webster

Since June 1999 Mandy Webster has been a freelance consultant offering audit, advice and training on privacy, information security and e-commerce issues as Data Protection Consulting Limited. The company’s mission is to help clients from a variety of sectors, and of all sizes, comply with data protection law and to that end it offers a range of solutions. Mandy, a qualified lawyer, is author of ‘Data Protection for the HR Manager’ and ‘Data Protection in the Financial Services Industry’ published by Gower and “Effective Data Protection” and ‘The ICSA Data Protection Troubleshooter’ published by ICSA Publishing Limited. Mandy is a well-known writer, commentator and speaker on data protection.

Quick fix data protection compliance for SMEs