GDPR Nine Months on

It is nearly nine months since GDPR came into force. Although the noise from the run-up to implementation has died down, the activity of the Information Commissioner’s Office (ICO) continues.


They have increased significantly the number of employees engaged in enforcing the regulations and have invested heavily in making the public more aware of their rights. This is a good thing for the public and for businesses that are operating within the law, but bad news for anyone flouting the regulations. The risk of action has increased, and the potential penalties are also significantly higher.


The ICO has said that penalties will be proportionate and fines at the maximum levels of £20m or 4% of global turnover (whichever is greater) will be used only in the most extreme cases. However, it is too early to judge whether this will be the case. Most cases which have reached conclusion relate to incidents before the new regulations came into force.


We have probably all heard about the high-profile cases involving the likes of Google, Leave.EU and Eldon Insurance Services, but smaller businesses have also faced penalties.

One area where fines have been issued under the new regulations is penalties for non-payment of the registration fee. For small businesses the registration fee is £40 or £60 per annum depending on turnover and the number of employees (£35 or £55 if paid by direct debit) but the fines are £400 or £600 respectively.


Many of the other penalties issued relate to nuisance calls or spam e-mails, particularly in calling numbers registered on the Telephone Preference Service (TPS). This is an area which is very important to us at Steadcross as much of our business involves sending e-mails and making calls on behalf of our clients. We always check and follow the rules.


But fines have been imposed for other reasons too. For example, a housing developer was fined £300 and ordered to pay costs of over £1,100 for failing to fulfil a subject access request on time. It is important to have plans in place for how you would fulfil such a request. Data subjects also have other rights which you need to be aware of and know how to respond to a request linked to these rights.


It is also important to note that if you engage a third-party to send e-mails or SMS messages on your behalf you have a responsibility to ensure they don’t break the rules and a potential liability if they do. A firm of tax advisers was fined £200,000 when a third-party provider sent out SMS messages on their behalf, without the necessary consent.


For many small business owners, GDPR is seen as an extra headache. For a small fee of £200 we offer a health-check to highlight areas of concern so that you know where to focus attention. You can then either sort these areas for yourself or engage us to do some of that work for you.  


Subscribe to our mailing list