Recent research has revealed European regulators imposed almost €160m worth of GDPR fines during the past 12 months, representing a 40 per cent increase on the first 20-month period after GDPR came into force.
While notable fines were issued to organisations including British Airways, Google and Marriott International Hotels in 2020, Tarek Meliti, Director of TDM Group warns smaller organisations shouldn’t see this as a sign of leniency towards the SMB community. The average fine companies have faced is approximately €66,000, which, if received in the current climate, would be devasting for SMBs. While regulators have shown consideration in the wake of the pandemic, it is imperative organisations of all sizes and backgrounds remain compliant.
Tarek said, “survival remains the priority for organisations. With government restrictions set to remain in place for some time yet, business leaders will be putting all their efforts into dealing with built-up debt, steadying operations, reducing costs and growing revenues where possible. While this will understandably remain a critical focus for the year ahead, its equally important businesses don’t lose sight of wider processes, such as ensuring compliance with regulations such as GDPR.
“There is a lot of misinformation surrounding whether SMBs are exempt from GDPR, especially in light of Brexit. Not only were the principles of GDPR already applied to UK law in the form of the Data Protection Act 2018, but the EU’s data laws were also protected within the UK law, as part of the decision to leave the EU.
“While the reporting of GDPR fines have largely been focused on enterprise-level organisations, smaller and medium-sized businesses shouldn’t think they are exempt. In fact, changes to how businesses operate could increase their risk of non-compliance.
“Arguably, the biggest business impact from the pandemic has been the mass switch to remote working and cloud services. Businesses are still adapting to a new digital-driven society and the challenges which come with it. One particular area is data protection, with the rapid switch to homeworking creating the ideal environment for breaches. In the event personal data is lost or stolen, a business becomes liable under GDPR. In light of this, we urge all business leaders to look at their existing practices both online and offline and consider whether staff working remotely are doing so in the boundaries of the regulation. Staff should be taking extra precautions to make sure they are protecting confidential information.”
For companies looking for guidance on compliance in the post-Covid era, Tarek added, “ensure all employees are working via approved devices to access work-related documents and emails. Employers should provide the required technology for this and not be reliant on staff using personal devices. Additionally, organisations should review their current cybersecurity protocols and adapt where necessary to cover remote working. Ultimately, all organisations should have created policies to cover GDPR when it was first introduced. It’s important these are revisited and updated in light of the move to remote working. Finally, this should be underpinned through regular communication and training of staff.”