Getting away with it: What are the chances?
It’s nearly five months on from ‘GDPR-day’ and there are still plenty of organisations who have convinced themselves that it was another Y2K situation and may even be congratulating themselves on not falling for the hype. Carrying on with business as usual, their only nod to the new legislation has been a refreshed web data usage statement masquerading as a privacy notice.
Sitting back on their laurels hasn’t been an option for everyone though – because last week saw the ICO announce its first action against organisations that have failed to pay the new data protection fee. Why anyone would avoid doing so is hard to fathom: the fees range from £40 to £2,900 (£5 discount for a Direct Debit); the form takes approximately eight minutes to complete; and not registering carries an automatic penalty. The fines issued are from £400 to £4,350 and probably came in one of those super-stressful plain brown envelopes. There are 34 organisations involved in this action (so anything between £13K and £136K to add to the Government’s coffers) and they cover the NHS, recruitment, government, finance and accounting. Basically, folks that should know better. Hopefully they feel the same way about this as I do about my teenagers’ library fines and it won’t happen again.
How did the ICO find out about these organisations – because the latter sure didn’t go telling anyone that they hadn’t registered. Maybe there is a small sub-section of the ICO’s 670 staff sitting in a Bletchley-like hut somewhere in Wilmslow armed with the Yellow Pages and the Register of Controllers looking feverishly for miscreants.
A more likely explanation is that someone complained. Remember the email that might have been an SAR that you ignored because you were undecided? Well it was, and now Anthea from Antrim has filled in the complaint form on the ICO website. That SMS marketing message that you weren’t completely sure you had consent for, but you sent it anyway. Oops, the recipient knows fine well they haven’t given you permission and they are filling in that online form in less time than it took you to programme the ‘STOP’ link. Once you are under the microscope, you aren’t going anywhere until someone has checked you out. Haven’t registered – a fine is a quick win for a Regulator that is under pressure to show its teeth.
Or maybe you have come to the attention of the people you should really worry about. The privacy geeks who want companies and technology to be ethical and held to account; who know how to read the mysterious code you are creating or the methods you use to manipulate data for your own means; who understand how much money you make from data; and who are ready, willing and able to make you accountable for your actions. These range from Max Schrems and his organisation None of Your Business, to the compliance department at your competitor, or even a disgruntled (ex)employee who knows exactly what you get up to on a daily basis.
Even more worrisome for organisations in some sectors is that other people’s misdemeanours may lead to an investigation into yours. Third party marketing services such as list brokers, email marketing bureaus, data augmentation services should be more than a little anxious. Last month saw EDML receive a £60K fine for a service which it argued was being supplied as a data processor, but the ICO disagreed. One has to suspect that they took the fall for all of the bad actors in this space, particularly as the Regulator has listed other organisations it is monitoring. There were other forces at play here as well, with consumer groups getting increasingly determined to put a halt to what they see as nuisance marketing.
One final point for those who still fancy their chances. When everyone around you is making their best efforts to act with integrity and transparency, you stand out like a red wine stain on a wedding dress if you aren’t doing the same. The GDPR and other national legislation have been specifically created to encourage collective accountability, and this is being exercised by your customers, staff, suppliers, clients and indeed anyone where data is the mechanism for an interaction with you. Simple stuff like a lack of a privacy notice, irrelevant security statements on your website, no unsubscribe option on your email are all alerts to your lack of compliance with the legislation.
And then it’s only a matter of time…