This was a very real argument put to me by a potential GDPR training client last week.
Her logic - that GDPR had now been enforceable for four weeks, she had not registered with the ICO, she had heard nothing from the ICO, the business owners she socialised with locally had similarly heard or seen nothing, the training, policies, and procedures were running into hundreds of pounds, so risk against reward, why should she bother?
At first glance, she had a point, but let's look at some reasons why she was wrong:
Firstly, and some would say most importantly, GDPR is not a 'take it or leave it' optional extra to your business, it is the law of the land (and indeed the rest of the EU), so just like registering for VAT, just like paying the company annual registration fee to Companies House, just like having to keep your speed to 70mph even though you know your car can go faster and you have confidence that your driving skills would allow you to safely do 80mph, the law says you can't.
Non-registration (regardless of whether when registering you establish you need to pay an annual fee or not (and most, but not all, businesses will)), is an offence. You could be fined well over £3,000 for not registering. That's worth risking either £35 or £55 and 10 minutes of your time for? Really??
Secondly, let's consider a possible scenario (there are plenty of others but I will detail some of those in future blog articles).
You take the train to London. You're going for a meeting with your accountant and you have all of your client, supplier and employee information and payment details on a USB stick. Once in London, you take a cab to your accountant's office. You exchange pleasantries, sip your coffee and reach into your pocket for your USB key - it's not there!
Panic sets in, you check your other pockets, you pat your trouser pockets anxiously like a man who just sat on an ant's nest while out for a barbeque. You open your briefcase and horror of horrors, it is not there either.
Apologetically you look at your accountant, explain that you have lost your USB key and you will need to come back another day.
Disappointed, you leave their office, take a cab back to your London terminus and catch a train back home. What a horrible day!
Next day you return to your office, frustrated but otherwise giving little thought to the events of the day before, you copy the data onto a second USB key and store in the lid of your briefcase. "Got it this time" you think to yourself, and ring the accountant to arrange a new meeting.
A few days go by, you're sitting at your desk minding your own business, and your phone rings. It's Julie from reception. Someone has rung from the Information Commissioner's Office asking for a copy of pages from your data breach register covering the period 25th May 2018 until 14th June 2018. Where is the data breach register as she can't find it?
"What the hell is a data breach register?" you think to yourself, and "why do they want a page of ours? -- don't say someone has hacked into the server".
Several expletives and a quick search on Google and you find a PDF which looks like it might do the job. Excited, you download it, it doesn't look too complicated, you quickly scribble in an entry for last week that someone detected an attempted breach of your firewall. That should do it, I will get Julie to email that to them.
A couple of hours pass, life returns to normal. Then your phone rings. It's Julie again. The ICO have called back and are now coming to see us next Thursday to perform a full GDPR audit. The guy who rang mentioned something about a USB key with lots of data on it............
I'm sure you can carry on the story from there. What could happen as a result of the above, well you might just get a slap on the wrist, you might get a substantial fine ('ouch'), you might have to write to everyone whose data was on the USB key telling them you lost their data ("commercial 'ouch'"), you and your company could appear in your local newspaper and/or your trade newspaper ('ouch' and commercial 'ouch') and if you really lost a lot of sensitive data on that USB key, you and/or your company could be barred from handling personal data for a period of time (lose your job 'Ouch!' or possibly even lose your business 'Ouch! Ouch!').
So now, where was I? Oh yes, why should you bother doing anything about GDPR?
If you'd like to learn how to avoid all of the above, please check out our website at https://www.ensurety.co.uk. We look forward to seeing you soon.