Table of Contents
As a business owner, you must avoid breaching data protection rules or risk receiving a fine of up to £17.5m. This article aims to bust five data protection myths so your company does not unintentionally violate the GDPR.
1. The ICO Exists to Fine Companies
The UK Government started the ICO to enforce data protection laws against UK organisations. Most headlines concerning the ICO involve them dishing out hefty fines in response to GDPR violations.
However, unbeknownst to some, the ICO also helps UK businesses, most notably through helpful online guidance. For instance, the ICO website contains hundreds of articles and guides concerning the GDPR and valuable tips on complying with its rules.
In this way, the ICO aims to ensure that UK businesses have the tools they need to comply with the GDPR. Only when UK organisations fail to do so does the ICO move onto enforcement footing and consider the imposition of fines.
2. Antivirus Software Alone is Sufficient
The GDPR requires UK organisations to process and store ‘personal data’ safely and securely. So, having up-to-date antivirus software is one of several measures your company can take.
However, a UK business cannot safely protect personal information through antivirus software alone. Instead, they will need to implement additional cybersecurity measures, such as:
- banning staff from plugging electronic devices into your computer system;
- ensuring your wi-fi network uses a secure encryption method;
- providing regular training on cybersecurity and data protection threats; and
- utilising two-factor authentication for your most important business accounts.
Call 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.
3. The ICO Only Fines Large Companies
The ICO only targeting larger UK companies is a common myth. Rather, the ICO tends to base the size of a financial penalty on the size of the GDPR violation rather than the organisation’s size.
Let us consider a quick example of two GDPR violations by two companies.
- A large company (with 300 employees) accidentally sends a group email to all its clients without hiding the other recipients. This means that their clients know the email address of different clients. However, they leaked no further information other than email addresses.
- A small financial advisory company (with five staff members) mistakenly sent an email containing the bank details of 50 individuals to an external email address, putting those clients at risk of sensitive data loss and bank fraud.
Naturally, the ICO will likely provide a much larger fine to the smaller company because its mistake has exposed dozens of individuals to the risk of identity theft and bank fraud.
4. GDPR-Compliant Policies Alone Are Sufficient
Having GDPR-compliant policies is an excellent idea, particularly when drafted by an expert lawyer. However, UK organisations are responsible for ensuring parties follow the procedures.
Many UK companies have encountered problems, despite having appropriate policy wording, as they fail to enforce them. This is because it shows the ICO that the policy is practically worthless and does not constitute evidence of mitigation.
5. A Good Lawyer Can Do Away With an ICO Fine
Most data protection lawyers will preach one vital ethos: ‘prevention rather than cure’. This is crucial within data protection matters because the ICO is strict on UK businesses that breach the GDPR.
Whilst the ICO can impose financial penalties for countless violations, some of the most common examples include:
- suffering an avoidable cyber intrusion resulting in the theft of personal information;
- disclosure of personal data to third parties without prior consent or lawful basis;
- failure to provide personal information in response to a valid Subject Access Request; or
- theft of personal data by an employee or individual on your premises due to a lack of physical security measures.
Whilst a lawyer may be able to identify and plead mitigating circumstances to the ICO, they are unlikely to avoid the imposition of massive fines.
Key Takeaways
Many UK business owners obtain expert legal advice to sort the facts from the fiction regarding GDPR rules. This can help ensure that UK businesses avoid accidentally breaching the GDPR in reliance on data protection myths. Another way to guard against GDPR mistakes is by holding an annual data protection audit, which is becoming increasingly popular.
If you need help with data protection law compliance, our experienced Data, Privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.
Frequently Asked Questions
An ICO fine is the same as any other invoice or legal demand. So, if your business cannot pay it, it risks enforcement action against it or the threat of winding up proceedings.
This is a common question because the GDPR derives from EU law. However, the UK Government have made clear its intention to keep the GDPR in place.
We appreciate your feedback – your submission has been successfully received.