Is GDPR the next PPI or is it just another scam?

AS the third anniversary of the General Data Protection Regulation or GDPR legislation happens this week, the ICO has recently been sending out letters to businesses and sole trader professionals requiring them to register.

The cost is £40 for most businesses, and understandably many people think it is another scam.

But it is not a scam. And this letter has to be taken seriously.

In fact, the ICO can investigate your SME business and impose a harsh fine for a serious data breach in our experience the public are now becoming very aware of their rights when it comes to protecting their private information.

Advertisements are appearing on television, much like the PPI gold rush, where legal firms are scooping up clients who have suffered a leak of financial data, most notably from British Airways and Digital Rights Ireland, who are starting a class action against Facebook and Ticketmaster UK who were fined £1.2m in 2020.

But more insidious is the threat to small businesses and sole trader professionals who can be in breach of the law if they send a sensitive email to the wrong person or use a database for a sales pitch without checking first if the recipients have consented.

We usually think of sophisticated hackers as the main cyber security threat, and that is certainly a growing risk, but most data breaches happen everyday by unsuspecting staff and business owners.

The ICO is inundated with complaints from savvy members of the public who know their rights and are determined to enforce them.

The question is, what can businesses do to help themselves if they experience a serious breach and come under investigation?

Costly legal representation is inevitable but that can be seriously mitigated if you have put in place proper data protection measures in your everyday working processes and train your staff on the areas of risk within your specific business model.

An investigation is geared to look at how your breach happened, did you take proper measures, and could it have been avoided?

Working from home as a result of Covid restrictions has seriously increased the risk for many employers and those that do have processes in place need to review them to take into account the kind of data employees have access to at home.

So, the risks in managing and using sensitive information for clients, patients or targeting new business is potentially a bigger risk than protecting your own systems from cyber attack.

Human error has never been under more scrutiny, and the consequences of getting it wrong are serious and costly. You may say that businesses and hard-working professionals don’t need any more costs attached to the daily grind of doing business, but imagine if your information got into the wrong hands and your job or reputation were at risk?

GDPR is not a scam. It is there to protect us all, and if we integrate it into our day to day business systems, we will all be part of making the digital age a safe way to do business.

:: Orlagh Kelly is a barrister and chief executive of GDPR compliance specialists