How will GDPR affect my SME?
General Data Protection Regulation (GDPR) is the toughest privacy and security law in the world. We have GDPR laws to protect our personal rights and have greater control over how businesses use our information. If breached, GDPR can result in heavy fines and penalties. To learn more about GDPR in general, we have written a previous blog which you can view here.
How are businesses affected?
For most people, GDPR will be associated with multinational corporations who have vast amounts of customer information stored and receive huge fines for their breaches. In some ways, these conceptions are right. These are the breaches we see regularly in the media as a result of the size of the fines being handed out. An example of this would be when Amazon received a £637 million fine for GDPR breaches in 2021. Regardless of how many times you only see news of the larger GDPR fines, it should be remembered that any business of any size with personal data can be fined.
This personal data is defined by the The Information Commissioner’s Office (ICO) as “any information related to a natural person or ‘data subject’ that can be used to directly or indirectly identify [them].” This information could be anything from:
- Email or postal addresses
- Bank account details
- Medical information
- Computer IP address
When looking at this list of personal information which could be identified within a breach, it makes it understandable how you can be affected. All businesses will have information along these lines in some forms, so unfortunately your business is not safe from a breach. If caught, you can face a fine of £17.5 million or 4% of your global annual turnover, whichever is higher- so also don’t think that because your business isn’t on the size of Amazon or Meta you’re in the clear!
But will this actually affect me as an SME owner?
The penalty you receive will be determined by the ICO as a result of the nature, gravity and duration of your infringement. To help you understand how you can be affected as an SME owner, we’ll look at the case of the UK charity, Mermaids. For some context, Mermaids provide support to thousands of families with transgender or gender-diverse children and have less than 100 employees. In 2021 they were fined £25,000 for a failure to implement adequate technical security measures for their users’ personal data.
The fine represented 2.8% of the charity’s annual turnover. 2.8% may seem like a drop in the ocean in the grand scheme of things, but apply this to your business turnover – how would that affect you? With the additional chance the ICO may increase this fine to 4% depending on various factors, the potential financial loss will be damaging.
Can breaching GDPR ever be accidental?
It is not always a case that GDPR is a criminal case of an individual purposely sharing or misusing the personal data they have for their customers. In fact, there is a chance that your GDPR breach could be completely accidental.
One of these accidental breaches is the accidental sharing of information to the wrong recipient; a violation which represents over 50% of GDPR breaches reported. If you consider the amount of accidental typos and errors which may be made in your personal life, it makes it clear how easily you can become one of the 50%. GDPR breaches are categorised and there are elements the ICO will take into account when deciding upon your fine, but, a breach is a breach and a fine of some sorts is still likely to come.
Although these accidents are inevitable and cannot be completely prevented, there are many things you can do within your business to protect yourself. Here at GDPR Defender part of our services include support with solutions for issues like this; offering training and support for staff to implement as many preventative measures for accidents as possible.
What help can I get?
That’s where we come in! Here at GDPR Defender, we provide you with everything you need to know in your journey towards compliance. Our services are available for businesses of all sizes and can help prevent all types of GDPR breaches. After completing our 100 points initial GDPR audit, we can provide you with a list of non-compliant issues, and aid you with the solutions.
To find out more, head over to our website.