Risk Evolves Logo Need help now?

5 ways to avoid a fine from the ICO

HomeBusiness Process and Standards5 ways to avoid a fine from the ICO

It’s best not to ignore the Information Commissioner’s Office (ICO). Last year, they made the following statement at a CBI event:

“If you adopt privacy by design, treat cyber security as a boardroom issue, and demonstrate a robust culture with appropriate transparency, control and accountability for your and your customers’ data, then we will not usually have an issue with you should the worst happen.”

Data privacy should be foremost in most people’s minds these days, thanks to high profile breaches and the introduction of the GDPR on 25th May 2018.

But what does the above statement mean, exactly, and how can you avoid being fined by the ICO?

1. Get registered with them!

In October 2018, under the old data protection legislation, the ICO issued a maximum fine of £500,000 to Facebook for failing to protect its users’ personal data. Likewise, Farrow & Ball also received a slap on the wrist and tried unsuccessfully to appeal against their fine.

The ICO isn’t only focusing on the big boys, though; a number of sole traders and smaller businesses have also been fined in recent months.

The first step to avoid this yourself is to register with the ICO. It can cost as little as £35 per year and there’s a great guide if you’re unsure whether or not you need to register.

2. Operate a data privacy-first mindset

Before you do anything new for your business, it’s vital you consider the implications for data privacy.

For instance, sharing data with a new supplier, introducing new software or changing a process (such as introducing CCTV) will directly impact the way you collect, store and process data.

There are some simple things you can do:

  • keep data safe by adopting best practices such as Cyber Essentials;
  • ensure any company or partner with whom you share data adopts the same best practices as you; and
  • train staff on the value of data to your organisation
  • Show them how to identify and deal with dodgy emails.

The list above is certainly non-exhaustive, but joining one of our courses will help you identify other areas that will help create a data privacy-first mindset within your business.

3. Invest in staff training

Your staff lie at the heart of your business, but if they’re unaware of how to properly handle personal data, they could put the firm at risk of being fined.

Mistakes are rarely made with ill intent, which is why regular training in data privacy and the creation of robust HR policies that link to its use are essential. Prevention is better than cure.

Staff who think it’s OK to look at records when there’s no legitimate reason for doing so risk hefty fines and an unwelcome entry on the ICO’s website. That’ll be enough of a deterrent for most people, but awareness will only come from good training and knowledge of procedures.

4. Don’t rely on your IT team

Data processing may have historically been the domain of the IT team, but it’s now a board room issue.

Directors and owners of businesses become accountable should the worse happen with personal data stored by the company. The buck always stops at the board room table, which is why data protection and privacy needs to be a regular agenda item during meetings.

Does your company’s board know where personal data is held within the business and how it’s processed and handled by staff? What about the businesses with whom you partner? Are they following the same rules?

The GDPR applies to data in all formats – from digital to paper copy – and it demands a place during high level discussions within any business.

5. Create a privacy notice

If you don’t have a privacy notice or haven’t updated yours for a while, now is the time to put pen to paper.

A modern privacy notice simply tells customers and staff how the business handles personal data and does so in a language that everyone can understand. This means it needs to be written in plain English and free of legalese you typically get from a lawyer.

We’re not suggesting this is an easy thing to do, but while the GDPR regulation is complex, the principles behind it rely on common sense.

Wrapping up

No one wants to be fined by the ICO. Use our tips above, and you’ll greatly reduce your chances of landing in hot water because of the way your business handles personal data.

If you need help staying compliant, please get in touch.

295 Views
Share :

MD for Risk Evolves, Helen has worked in the IT industry since 1986. Helen is a leader in the areas of risk management and operational improvement, and works with companies in senior governance, risk and compliance roles. She is a member of the British Standards Institute and is a member of the BSI Committee creating a new guidance standard to assist organisations on how to become cyber resilient. Helen and the team at Risk Evolves work with organisations to improve their resilience through stronger process implementation and better communication and education of staff.

Related Post
  • 28 September 2023

Horizon Bias in Risk Management

  • 22 September 2022

A Cautionary Tale about the Pitfalls of Doing

  • 2 November 2021

Environment, Social and Corporate Governance (ESG)… The EcoVadis

  • 9 April 2021

How we’ve helped a SaaS business protect its

  • 27 November 2020

Who’s who in GDPR?

Leave a Reply