If there’s one thing about GDPR that’s grabbing the headlines at the moment, it’s the eye-watering maximum penalties that businesses could face if they fall foul of the new regulations after May next year. Being fined €20 million or four per cent of worldwide turnover, whichever is bigger, is gonna hurt! However, what have pretty much been ignored so far are the penalties for lesser transgressions.
These are key because if you run a small to medium-sized business (SMB) you need to know what’s likely to be the least amount you’ll be facing if you fall foul of GDPR.
So how much would you expect the lesser penalties to be? A few thousand euros? Think again!
They are in fact a scaled down version of maximum penalties. The problem is that they don’t seem to be scaled down that much. Although actual minimum penalties have not yet been revealed, the lesser ones discussed to date are around €10 million or two per cent of worldwide turnover.
This is still a lot of money, and could easily put a company out of business, depending on its size and health. And in this case size definitely matters, because this penalty is certainly likely to be enough to bankrupt a lot of the UK’s SMBs, many of which have an annual turnover below €10 million.
If the lesser penalties are so large, the number of businesses at risk of being shut down if they fail to comply with GDPR would be significant and actually quite frightening. Perhaps just as scary is the fact that so far the focus has been on encouraging larger companies to ensure they are compliant well in advance of ‘GDPR Day’ next May, and not their smaller counterparts. Yet many large organisations would be able to withstand a hit from the ICO for non-compliance, while many SMBs would struggle to do so.
This means that it’s actually far more important for the thousands of SMBs across the UK – the lifeblood of the British economy – to make sure they are GDPR-compliant and do so as soon as possible, because they stand to lose far more than the Big Guys.
So while the companies providing GDPR compliance services are focusing their attention on large enterprises, a rallying cry needs to go out to cast the net far wider for the sake of Britain’s SMBs. These companies need affordable advice on how to get their customer data in order so that come May 2018 they are compliant and can continue making their key contribution to the UK economy – something this country is likely to need more than ever with the political instability we are now all facing. Currently, they are not being catered for – and this situation must change… and fast!
The good news is that there are existing technological solutions already available that can be implemented immediately with no hefty fees, major commitments or long-term contracts, enabling companies to move customer data safely from acquisition point to database, ensuring that it is stored securely and gauging whether it is of sufficient quality not just in terms of GDPR, but also with respect to value to the business.
Preparing now to make sure they have data in their systems that is consented, qualified and GDPR-ready by the time the legislation comes into force will not only save SMBs’ bacon, but is also likely to give them a significant competitive advantage.
It only took one complaint about Honda for the car giant to be fined a considerable amount under the existing Data Protection act. GDPR tightens the current laws significantly and just one complaint could spell the end for an SMB.
Robin Caller is CEO of LolaGrove
Further reading on GDPR compliance
By looking at the blog posts from the ICO, it is clear that the expectation is to use a proportionate approach to the use of fines just as they have done for the Data Protection Act.
Of course that does mean that companies need to comply and use reasonable efforts, follow industry best practice, etc. but the ICO is likely to adopt a sensible position rather than follow some of “Scare” statements made in some media articles.
David Martin.