This is a statement we have heard a few times recently when talking to companies about the rights of the public to video data under GDPR and the risks they might have for fines from the ICO or other National Data Authorities.
The reported record breaking fine issued to British Airways of £183m is ground breaking, not just because at that amount it would almost quadruple the amount companies have been fined under GDPR across Europe in one hit, but also shows a step change in the desire to make companies put data privacy at the heart of their strategies.
When we discuss with companies their concerns around GDPR they usually fall in to one (or more) of three areas:
- Desire to reduce risk of regulatory penalties
- Improved perception by the public
- Improve organisational efficiency
Now we never think being purely focussed "not getting fined for a lack of compliance" is a good base for a companies activities but they are a pretty essential aspect. On top of that not believing the organisation that might fine you are unlikely to do anything is definitely a pretty unwise strategy also, especially considering there have been some fairly decent sized fines going out in the last year including...
Another statement we hear on occasions when speaking to smaller companies about compliance with GDPR... but the evidence would point to the contrary.
The ICO publishes all enforcement activities it has taken here, which in itself is embarrassing to have a permanent record of breaking the public trust. A quick look through finds a long list of fines against SME's and individuals for breaching aspects of GDPR, we have pulled out a couple of examples:
These fines weren't issued for massive data breaches but failure to comply with other aspects of GDPR like registering with the ICO, not making the public aware they could opt out of being recorded on video and ignoring Subject Access Requests for personal data.
“Consumers and citizens have stronger rights to be informed about how organisations use their personal data.”
“When it comes to data protection, small businesses tend to be less well prepared. They have less to invest in getting it right. They don’t have compliance teams or data protection officers. But small organisations often process a lot of personal data, and the reputation and liability risks are just as real.”
During our research for Col8's guide to the publics rights to video data under GDPR which can be downloaded using the link at the bottom of the page, we discovered that in just over a year there were 94,622 complaints submitted across Europe to National Data Authorities for concerns about compliance to GDPR.
That is a complaint every 6 minutes - 24hrs a day - 7 days a week.
This is the interesting part - the UK accounted for nearly 80% of complaints!
Within Col8's work helping companies manage the impact of Subject Access Requests for video under GDPR with our tool Data Transparency we find that it isn't the potential fines of up to 4% of Global turnover that worry most companies, it is the fact that the awareness of the public is the primary driver for how many requests are made.
With it in mind that companies must give a requestor video footage they have on them free of charge within one month, then add the complexity of having no idea how many requests you may get leaves a difficult question - how do you create an organisation that can meet this challenge?
You can't simply put a team together that can handle hundreds of requests a day just in case because they will then sometimes be sitting idle, nor can you risk not having trained people in place in case of a deluge of Subject Access Requests. We believe the key is in having an efficient workflow that reduces the touch points with different people and brings together the latest video searching and redacting technology to make the task quick and efficient.
Contact us to see what we have to offer your organisation, whether you are a single person company or an entire city council our solutions can help you manage the risk and increase efficiency.