So how much attention should small businesses pay to GDPR? While it is true that data protection watchdogs are focused on reining in the unruly marketing behaviour and data sharing practices of global tech giants such as Google and Facebook, it’s not really about whether or not you get caught, as a hairdressing salon in Hull found out last week.

An unfortunate customer in Hull tripped on her way into her local hairdressers. Staff were very sympathetic and caring as they fussed over her in the ensuing moments (according to the CCTV footage of the incident). However, following the incident the salon owner, in what can only be described as a moment of madness, set up a group chat with his staff and shared CCTV footage of the incident.  Together he and the staff seemed to have a jolly time adding in some cliched witticisms about fat people.  Then of course something even more predictable happened – yes, someone uploaded it to Facebook.

Perhaps they found the whole episode entertaining, maybe they had watched too many episodes of “You’ve been framed!”; whatever the motivation, this is a clear case of unauthorised disclosure of the individual’s personal data (yes, CCTV images are personal data) and the end result was distress and embarrassment to their customer (and hopefully to some of the staff). Queue customer seeking compensation……

Intuitively most people would realise that such use of CCTV images without the knowledge or consent of the data subject is wrong. But businesses cannot rely on their staffs’ common sense or individual moral compass when it comes to protecting people’s personal data. That is why it is so important to train staff in the basic principles of GDPR (and in the case of the Hull hairdresser, not just the staff!).

So a very avoidable data breach, much embarrassment all around, one ex-customer possibly taking legal action and lots of bad publicity not only on Facebook but also in the national press.

It does not matter the size of the business – all businesses need to know the rules of data protection; you cannot assume that your staffs’ “common sense” will see you through nor for that matter that your own will.   All businesses need to ensure that anyone in their business who handles personal data is trained in the data protection rights of their customers and the company’s legal obligations  to them.

After all, small business owners do not see their size as an obstacle to using new technology to benefit their company. So they must follow the rules when it comes to protecting their customers’ data, be it CCTV images or records of names and addresses.

Joy Higham, Data Protection Consultant

13th June 2019