GDPR and Fines

Transcript of the Video

Good evening ladies and gentlemen, Suzanne Dibble here, coming to you raw and uncut on a Friday evening after I've been out for dinner with some friends. I had a couple glasses of wine, so I'm going to keep this video short and simple.

I want to talk to you about sanctions because it probably is, certainly when you first came into this group, when you first heard about GDPR, something that caused you concern. We've all seen the headlines of 20 million Euro fines for non-compliance of GDPR. It's frightening, as a small business owner. You know I've read comments from people in this group who were saying, "I was thinking of placing my business down because of GDPR." So when you hear headlines like that out of context, it is very scary.

Now, of course, it is true, that for certain elements of non-compliance with GDPR, the maximum fine is increasing from what it is now, which is 500,000 pounds, and it will be going up to 20 million Euros, and well obviously, the British equivalent of that. And, or sorry, and 20 million is kind of the headline, the exact top sanction if you like, is 20 million Euros or four percent of your global turnover, whichever is the higher. There is a lower threshold of fines for slightly different non-compliance issues, and that's 10 million Euros or two percent of your global turnover, whichever is higher.

So these are headline-making fines because the fact that they've increased it from 500,000 to 20 million is significant. Even if you, as a small business owner were not going to get fined 20 million, the fact that they have increased it so significantly, shows the seriousness with which European regulators are taking this issue of data protection.

So let's talk about what are the chances of you getting fined 20 million. Well, rest assured as a small business owner, if you're not processing significant data, if you're being sensible, if you're looking after the data, if you've got security of data, if you're telling people what you're doing with their data, et cetera, you're not going to get fined 20 million or anything like that. If you as a small business owner, are working towards compliance, you've not just heard about it, and you're like, "Oh, that's just, you know that's just a big con, I'm not doing anything to do with that, it's just too complex, I'm just going to ignore it and spam these people, and do whatever," okay then that's a different story.

But if you are a small business that's heard about GDPR, you're in this group, you've downloaded my chat list, you've bought the pack, and you are actively working towards compliance, well if there is a complaint against you, which is more than likely the way that you're ever going to come to the attention of the ICO, because they don't have vast police forces of data protection police going around, checking whether you're compliant to the Nth degree. If there's a complaint and the ICO come and investigate, if you can point to the fact that you have been working towards compliance, then chances are that the ICO is going to work with you to become compliant, rather than in any way sanctioning you or fining you. So please don't lose sleep over that is the main point of this video.

The second point is, don't sweat the small stuff. And I think it's great how engaged people are in this group, and the types of questions that you're asking, but really the things to focus on is the big stuff. So it's things like the principles, the data protection principles, things like the transparency and fairness of processing. The things that I listed and talked about, in my two-hour webinar that you can view from the link in the pinned post of this group. It's the things like finding a lawful ground for processing, and again, that was in my webinar.

Think of the big picture and what the legislation is all designed to do, and that will very much inform you as to whether you can or can't do something, or what you can and can't do, so yes, I suspect that nine out of ten businesses by the 25th of May, certainly nine out of ten small businesses, won't be compliant, fully compliant with GDPR, and I suspect very strongly that there will be no fines on the 26th of May for people who are non-compliant. But if you are, if you're doing something that I would say is, you're not having those principles in mind, you're spamming people, you're selling lists when you shouldn't be, you're not keeping data secure, you're playing fast and loose with people's personal data, and yes, there's a high chance that you could be fined.

And I'm sure actually that in the first few months, six months, first year of the legislation, the regulators will be looking to make examples of people, and to impress upon people the significance of this legislation and the fact that businesses do have to take it seriously, and it's not just a box in a ticking exercise, it is a cultural shift that is required within organizations. But as small business owners, as I say, there's a key message I want to get through. The fact that you're not compliant in one small area, but you're with the spirit of the principles of data, and you're doing nearly everything right, the chances of you suffering any kind of fine or anything like that, in my view, very, very remote.

The ICO has already gone on record to say, they work more with the carrot than the stick. So chances are if they came to investigate they would show you how you are not yet compliant, and help you work, help you to become compliant in those areas. So, so please don't be thinking, "Oh I've got to shut down my business because GDPR is such a nightmare and I can't possibly be compliant." Because of A, you can be actually, but B, even if you're not by the 25th of May, if you are working towards compliance, then that is probably going to be good enough.

So that's all I want to say for now, short, short and chopped video, mainly because I haven't got any notes today. I haven't been out all day, but I think it's a really fundamental thing to think about, because particularly for small business owners, you see the headlines, and then you hear, "Okay, I've got to be compliant or I could get fined X." And then you think, "But this regulation is so complex, I don't even know where to start." And that does lead to people thinking, like the poor lady that commented in the group, "I was about to close my business down." That nearly broke my heart when I read that.

So please don't ... Oops, a bit of low power mode there, I hope that didn't show in the video. Please don't worry too much about it, okay. If you're I say, following the right principles, being sensible about stuff, the tiniest breach is really not going to get you in trouble, okay? So all I can say is, do what you're doing but work towards compliance. Take it seriously, but don't sweat the small stuff. Keep your eye on the principles, on the lawful grounds of processing data, of being upfront with people about what you're going to be doing with their data, chances are you're going to be more than fine with that.

All right, I will leave it there. I am going to do future videos on the areas that we've discussed and have been requested in the group, so I'm certainly going to be doing one on photographers and for virtual assistants, and there are a couple of good posts in the group about sales and marketing related topics, that I will also be picking up on next week, so there's still lots to talk about.

Thank you as ever for your continued support. Can't believe we hit over 3,000 members is just about two and a half weeks, just less than two and a half weeks. So, thrilled as a lawyer, that doesn't often get to have people being interested in areas of law. Absolutely thrilled that you are engaged in this topic and want to know how you can best comply with GDPR. And the answer is of course if you haven't got the checklist yet, go and grab that. There's a link in the pinned post. If you've requested it, and you haven't got it yet, go and check your spam box, because some people have very overactive spam filters that will just filter out everything that Infusion Soft sends you.

Watch the training material, our training if you haven't done already. That's in the pinned post as well, the link for that, and of course if you haven't yet bought your GDPR pack, it's only 97 pounds, certainly a very good way of demonstrating if the ICO ever come knocking, that you are working towards compliance. So yeah, have a fantastic weekend, I'll do in a little bit of video tomorrow and Sunday, and yeah, just have a good one. Don't lose any sleep over GDPR.