Originally published on 18 July 2018
Updated October 2023
May 2018 saw the European Union adopt a robust new set of data protection laws called General Data Protection Regulation – also known as GDPR. Since its inception, the government body responsible for cracking down on GDPR breaches in the UK, the Information Commissioner’s Office (ICO), has been busy. Understandably, GDPR for small businesses has been a great worry.
When GDPR legislation was introduced, we were warned not to take the new regulations lightly. The fines, up to €20 million or 4% of annual global turnover (whichever is higher) were promised not as a simple deterrent, but a real and genuine threat that the ICO would not hesitate to follow through with. And the ICO, along with other international regulators, did not disappoint.
The fallout of GDPR has been, arguably, biblical. Businesses from the likes of Google to Marriott Hotels have been handed eye-watering GDPR fines. The largest fine on record is €50 million, doled out to Google for a variety of data protection violations. British Airways originally had the largest, of over €200 million, but the fine was later reduced to a mere €23 million.
Why Is GDPR So Harsh and So Rigidly Enforced?
The rules appear, on the surface, to be quite tough on businesses – particularly GDPR fines for small businesses. The reality is that they’re pretty much in line with other forms of consumer protection and compliance fines.
GDPR is all about the rights of citizens – our rights as individuals, our right to privacy and our right to control how our personal information is used. As with other consumer-protection laws, the harsh fines and keen eye of regulators exist to ensure the rules are taken seriously.
The big difference here is that GDPR has finally meant we’ve caught up with the digital age, but this rapid change has been a bit of a shock to the system. Where once there were almost no regulations, there are now hundreds, all prepared to wreak havoc on your business.
Previous data protection laws governing businesses were implemented in the 1990s, a long time before mass data collection, cloud storage and so on. The rules did not provide adequate protection to individuals, which meant their data could be used in a lot of ways they didn’t want.
After so many years of pretty relaxed data usage across the world, a serious shake-up was needed to change mindsets, along with serious consequences for flouting the rules.
The reason GDPR fines feel so harsh is that the landscape before it was a fairly lawless place – where personal data could be sold on a whim, and customers could be bombarded with marketing emails after sending a simple email query.
Does GDPR Apply to Small Businesses?
News-grabbing GDPR fines are always going to feature major corporate entities. Just recently in May 2023, Meta, the owner of the Facebook and Instagram social networks, was issued a record fine by the Irish Data Protection Commission for $1.3 billion. The numbers are so apocalyptically large that it’s almost impossible to ignore them.
Given the way that GDPR is built – and the way it is reported on – you’d be forgiven for thinking it is based solely within the realms of big corporate, and that this personal data security measure is designed for those that store lots and lots of customer data.
Surely your small business, with only a few pieces of personal data stored compared to giants like Google and Meta, is not subject to the same gargantuan fines and eagle-eyed watch of the ICO?
Not so. GDPR covers all personal data of citizens of the European Union. And if you’re thinking that this now means it doesn’t apply to those in the UK, you need to know that while GDPR was made law under the European Union, the United Kingdom – now having left the EU – follows UK GDPR, which is effectively the same set of regulations.
With that in mind, GDPR in the UK incorporates all personal data of any European or UK citizen, which means it applies to every business that stores data on these individuals, whether your turnover is £10,000 or £10 billion. GDPR for small businesses, when unprepared, is a real threat.
GDPR Applies to Small Businesses, But Could You Really Be Fined?
There is a big difference between application and execution. While GDPR might apply to your business, what are the chances the ICO will ever pay attention to you? Well, the probability is higher than you might think.
It’s fair to say that the ICO isn’t pulling any punches for any organisation that breaches GDPR, and that includes SMEs. GDPR fines for small businesses actually make up the majority of fines brought up under the regulations. Here’s just a handful of a growing list of SMEs that have been fined by the ICO to date:
- Eldon Insurance Services Limited – £60,000. Trading as GoSkippy Insurance, the company was fined £60,000 for sending direct unsolicited emails without consent.
- Lifestyle Marketing, Mother & Baby Ltd – £140,000. One of the earliest six-figure ICO fines given to the company hosting the Emma’s Diary website. The company gave subscribers free advice on pregnancy and childcare but resold their personal information without consent.
- Tax Returned Limited – £200,000. This personal tax assistance firm was fined £200,000 for sending millions of unsolicited marketing text messages.
- DM Design Bedrooms Ltd – £160,000. This Glasgow-based bedroom design company was fined £160,000 for making 1.6m unsolicited calls to TPS (Telephone Preference Service) subscribers.
- Alistar Green Legal Services – £80,000. This Liverpool-based legal services firm was fined £80,000 for 213 unsolicited phone calls to TPS subscribers.
- Secure Home Systems – £80,000. The company was fined for unsolicited calls made to numbers they obtained from a third-party list they purchased but did not screen to see if they had consent attached.
That’s £720,000 from just six SMEs. Clearly, the ICO means business when it comes to GDPR for small enterprises.
GDPR Fines for Small Businesses: It’s Only Getting Worse
Our list is just the tip of the iceberg when it comes to small business GDPR fines in the UK.
What’s more, GDPR fines are not only increasing in regularity – as more people start to understand their rights and take action against rule-breakers – but the fines are set to become even higher.
Znet reports that regulators are gaining more confidence in enacting GDPR, which means they are likely to start using more of the powers available to them, including fines closer to the maximum amount allowed. The website Enforcement Tracker shows just how many fines have been issued so far, where they were issued and for how much. The cumulative sum of fines issued since May 2018 doubled from €2,000,000,000 in August 2022 to over €4,000,000,000 in August 2023.
How Much Could My Small Business Be Fined for a GDPR Breach?
With figures going up, what kind of small business GDPR fine could you be facing in the event of a GDPR breach?
Even with numbers rising, the maximum fine of €20 million or 4% of annual global turnover is unlikely to be your final figure. GDPR.EU reports on a survey carried out using data from 91 GDPR fines, citing €66,000 as the average. With the small businesses identified as examples in this blog typically facing £60,000 to £80,000 fines, this figure appears to give us a good representation of the GDPR fines you could face.
So, while GDPR fines in the UK might not be new – we’re now over five years into the regulations – it’s never been more important to avoid GDPR breaches. The potential cost of a breach and a GDPR fine to your small business is ramping up, and as the short history of the regulations shows, you are far from safe.
How Do Small Businesses Protect Against GDPR Breaches?
As you might have noticed, unsolicited messages are the biggest issue with GDPR compliance where small businesses are concerned – as few as a couple of hundred messages have resulted in an £80,000 fine. Even unintentional breaches, such as using a purchased contact list from a third party, have led to enormous GDPR fines for small businesses.
The message is quite clear from the ICO – organisations need to take GDPR seriously. Elizabeth Denham, UK Information Commissioner from July 2016 to November 2021, is quoted as saying:
“…For those who do not take this responsibility seriously or those who break the law, we will act swiftly and effectively. We are using the intelligence we have gained – from more than 40,000 data protection complaints since May 25 2018 and over 14,000 personal data breaches reported to us, as well as intelligence from other regulators and investigations we have instigated — to take robust action.”
But how exactly do you heed Denham’s warning?
Many of the organisations facing GDPR fines will have been under the impression they were GDPR compliant. The problem is that GDPR is so complicated and comprehensive – and such a change from what data protection laws used to be like – that it is seemingly impossible to keep up with expectations. A lot of these unsolicited messages were sent without malicious intent or design, simply a lack of understanding and ignorance of the rules they were breaking.
The simplest way to ensure absolute GDPR compliance is to get your processes audited by experts. If there are holes in your compliance measures, such as failing to gain the right form of consent before contacting consumers, the experts will find them.
GDPR For Small Businesses Made Easy
Our IT consultancy services and cybersecurity services include GDPR audits and coverage. Optimising IT experts will evaluate your IT systems to find where you might be risking compliance problems that could lead to GDPR fines. We can then help you develop and introduce solutions to get yourself on the right side of the ICO.
It all starts when you get in touch with the experts, so whatever worries you have about GDPR compliance in the UK, get in touch with Optimising IT today. You can use our online contact form, call us on 01242 388530 or email us directly at [email protected] and we can immediately begin to alleviate your GDPR worries.