Q GDPR fines have been in the news lately, what are the risks for me as a small business owner?
As the recent fines were handed down to large companies, it is easy for small businesses to feel that GDPR is not relevant to them as the Information Commissioner’s Office (ICO) is only looking for big fines from big businesses. However, the new data protection legislation applies to any personal data held and therefore is something that you and every small business owner should be on top of.
I have heard some SMEs saying that they have no “personal data” because they do not sell to consumers. This is a myth. Every business has personal data – anything which identifies a living person is personal data, even if that person’s contact details are for work rather than home, it is personal data. So, if you employ people and/or have to speak to people to sell your goods/services, you have personal data and GDPR applies to you.
A key lesson that we should learn from the recent highly-publicised fines is that ignorance is not bliss. BA and Marriott had some security around their data, but the ICO found they didn’t do enough. And for Marriott specifically, the ICO found that they failed to undertake sufficient due diligence when buying a business, to discover the historical breaches – so you cannot say “it wasn’t on my watch” if your business has grown from acquisitions and that acquired business didn’t comply with its GDPR obligations.
Many SMEs worry that GDPR is a barrier to doing business. However, compliance with the rules shouldn’t stop you running your business: there may be changes you need to make to ensure that everyone in your business understands the new legislation, but a lot of the provisions of GDPR were in the Data Protection Act 1998 and are built on common sense.
Make sure you understand the legislation and take commercial and practical legal advice on what changes your business needs to make – but get your house in order now before the ICO have reason to look at your business and question what you have (or haven’t!) done to comply with your obligations.