Regulator issues data warning to SMEs

The Information Commissioner’s Office (ICO), the regulator responsible for ensuring companies protect customer’s data properly, has issued a warning to small and medium-sized businesses that they must comply with data protection regulations – or risk potentially hefty fines.

The warning comes after the ICO imposed a £60,000 fine on a Berkshire-based video game rental company that had failed to take basic steps to protect its customers information from cyber attackers.

Sally Anne Poole, ICO enforcement manager, said: “Regardless of your size, if you are a business that handles personal information then data protection laws apply to you.”

She added: “If a company is subject to a cyber attack and we find they haven’t taken steps to protect people’s personal information in line with the law, they could face a fine from the ICO. And under the new General Data Protection Legislation (GDPR) coming into force next year, those fines could be a lot higher.”

Fines under the GDPR could be as much as 4% of global turnover or €20m – whichever is the larger. The GDPR comes into full effect from 25 May 2018 and, regardless of Brexit negotiations, the Government has confirmed that UK businesses must comply.

SMEs should be aware that the GDPR introduces some significant changes to current data protection regulations. For example, data subjects will have more power over what information organisations hold on them and how they use it. It must be just as easy for data subjects to withdraw consent as it is for them to grant consent for their data to be held and used. They can also ask for a copy of the data held on them.

Note too that the GDPR captures data processors as well as data controllers. Where a data controller outsources the processing of personal data to a third party, the data controller will still be liable for penalties if the data processor gets its data protection wrong.

These are just some of the new requirements introduced by the GDPR. Given the ICO’s warning, any SME in doubt about its ability to comply must take action now and seek expect advice as necessary.

Leave a comment

 Security code