Manuel Martinez

6 Reasons SMEs Get Fined Under The GDPR

6 Reasons SMEs Get Fined Under The GDPR

Share this content

This article explores the 6 main reasons SMEs are being fined under the GDPR and how you can prevent your organisation from similar penalties. It will explain the grounds for each fine, followed by a case study to illustrate. It will then suggest ways you can avoid making the same mistakes and the key takeaways .

Whilst fines exist, it is important to also note that the proportionality principle applies which states that so long as SMEs have tried to comply with the GDPR, then regulators will take this into account when assessing the penalties it dishes out. If SMEs show ignorance towards the GDPR then fines are likely to be harsher.

Remember however that non-compliance is more than just a fine as there are additional costs that add up. They are in the form of litigation fees, public relation costs and reputational damage that may all contribute towards the overall landscape of non-compliance.

Reason 1: Organisations not following the principles for processing data (i.e sending unsolicited emails)

SMEs are liable to being fined if they don’t follow the principles for processing data. This translates to unsolicited emails and marketing directly to customers as it shows an irresponsible attitude towards personal data and data subject rights, which goes against the principle of processing data in a lawful, fair and transparent manner (see Article 5(1)(a) GDPR).

Case study

Tax Returned Limited, with less than 15 employees, was fined £200,000 for sending millions of unsolicited marketing text messages and equally, Rancom Security Limited was fined €125,000 for sending unsolicited marketing calls.

Key takeaways

  • Sending direct marketing emails require opt in consent only.
  • Pre-ticked boxes are not enough to demonstrate your organisation’s compliance with the GDPR.

Reason 2: Insufficient legal basis for processing data

Another common reason fines are handed out is due to the lack of a legal basis for processing data which comes with no surprise as the biggest GDPR fines to date have been associated with this Article (see Article 6 GDPR). These 6 grounds for lawful processing are:

(a) Consent

(b) Contract

(c) Legal obligation

(d) Vital interests

(e) Public task

(f) Legitimate interests

They legitimise the use, transfer and storage of personal data, whereby if not met would deem the controller as processing data without a lawful basis.

Case study

Alterna Operador Integral SL (Flip Energy) was fined €50,000 when a customer filed a complaint stating that her energy provider was switched to Flip Energy without her consent. This breaches Article 6 as the data transferred was without a legal basis, such as consent or legitimate interest.

We can also learn from the biggest fine to date: France v Google Inc. In the case of Google, whilst consent was obtained, it was not legitimately obtained for two reasons: the consent was not informed and was not specific to the purposes of processing. Thus, consent can only be informed if the user is aware of the extent to which their data will be used in personalised ads and other marketing materials. Specificity must also be met if users agree to each purpose that their data would be used separately. Google had instead used a one box fits all exercise whereby a tick in one box meant that the user would agree to all forms of processing, and this was held to be unlawful as the net was cast too wide.

Key Takeaways

  • Your organisation should make your customer base and users aware of the extent to which you may capture their personal data.
  • It is also crucial that you specify the purposes for which you will process their data and the user must be asked to agree to each one separately and individually.
  • You therefore cannot make users tick one box that would give their consent in full to all purposes for which their data would be processed.

Reason 3: Data Breaches

Issues of storing too much data and not knowing exactly where they are stored can make data breaches costly. It is crucial that SMEs are aware of the mechanisms available that can help prevent data breaches or at the very minimum control them.

Given that currently, due to Covid-19, many workers are now working remotely, it is ever more crucial to prevent data breaches via incorrect email recipients being added and employees being victims to phishing emails. Therefore, an extra layer of protection is required from your organisation in the form of education and business best behaviours to reduce and avoid the risk of data breaches.

Practical methods to avoid data breaches for your organisation is to conduct awareness training such as sending simulations of phishing emails and seeing whether employees can tell them apart from legitimate emails. Training should also be given in the area of password protection and how employees can take steps to keep client data safe and secure.

Case study

According to a report conducted by Verizon, 28% of data breaches in 2020 involved SMEs, which is almost a third of all data breaches. 45% was due to hacking and 22% were due to internal errors.

Key Takeaways

  • Ensure that your organisation is aware of where your data is located by having this mapped out.
  • This way, you can better control who has access to what type of data and whether encryption or other security measures are in place for data that is personal or deemed to be sensitive.
  • Having these controls can at the very least, prevent the compounding effect of data breaches.

Reason 4: Holding personal data for longer than is necessary and not following data minimisation rules

Another frequent reason that fines are dished out is related to the concept of data minimisation. Organisations should not hold data for longer than is necessary (Article 5(1)(c) GDPR) and should minimise the amount of data that is retained (Article 5(1)(d) GDPR) to make sure that data security issues are not further compounded by large amounts of unsorted data. The worst thing for your organisation is having large quantities of data and not knowing why you do and where you store it so that a data breach can become catastrophic. As the DLA Piper Report notes, this can be further compounded by legacy data (data collected before the GDPR came into effect) which means that much of it is unstructured and does not follow the storage procedures provided by the GDPR. Thus, such data must be mapped first before your organisation can consider data minimisation techniques. The Privasee platform is an automated self-compliance solution that can help you complete your data mapping in a matter of minutes!

As an organisation, you must also have in place a mechanism for deleting data, electronic or otherwise, either because you no longer need it or because you were asked to. Deleting physical data can be easily done with a shredder but when removing electronic data, your organisation must also take care to remove any backup you may have made in the past. Your organisation must make sure that the deleted data is no longer usable in any shape or form in case there is a data breach, which involves making sure that data is not simply sitting in the recycle bin where it can be easily recovered.

See our Article on how one company was fined £13,000 for failing to delete old employee email-boxes.

The ICO recommends either:

1. Installing a deletion software that will overwrite data or;

2. Contracting IT experts.

Case study

In 2020, SPARTOO SAS was fined €250,000 under various articles including Article 5(1)(c) GDPR for permanently recording all conversations between employees and clients as it was a disproportionate amount of data needed for its purposes, which were for training staff. The heavy recording of telephone calls also meant that customer banking details given over the phone were recorded and stored, which as sensitive data requires further safeguards such as encryption, which were not in place in this instance.

Key takeaways

  • Using software such as the Privasee platform will direct you to where exactly within your organisation legacy and other types of data are located and the amount of data you hold.
  • Identifying where you can minimise the amount of data you hold or where data has been held for longer than is necessary for your purposes is crucial in satisfying GDPR Article 5.
  • Mapping data can help you visualise how much data you record and thus remove the danger of recording more than is required to fulfil your purposes within the organisation.

Reason 5: Disrespecting Data Subject rights

Linking from the above, your organisation must be able to understand what data subject rights consist of and what actions are required when data subjects file requests regarding their data such as a Subject Access Request (SAR).

Case study

A town clerk at Whitcurch was fined for blocking a Freedom of Information (FOI) request which directly infringes data subject rights. A business was also fined £15,000 for failing to respond fully to a data subject access request and which later ignored an enforcement notice.

Key Takeaways

  • Ensure your organisation is aware and informed of the ways of dealing with SARs
  • Understand that your organisation must respond within one month of receipt of the SAR and if not, have a viable excuse for the delay.
  • Within this month, you must also satisfy yourselves that the identity of the person making the SAR is legitimate and not, for example, a fraudster using someone else’s identity to access their personal data.
  • You must also identify where the personal data they are requesting is located and be responsible for conducting an appropriate sweep of all your databases to locate them in an efficient and proportionate manner.

Reason 6: Transferring data unlawfully

A hefty fine can also be incurred if your organisation transfers data in an unlawful manner to a third party outside of the EEA territories or within the EEA countries but without a relevant safeguard in place.

Whilst no fines have yet been given for this as there is a 4 month transition period for companies to adapt to the new Brexit climate, it would be wise for your organisation to properly map your data flows so that you are aware of any safeguards that would be required. Furthermore, understanding this would allow your organisation to appoint a relevant EU representative. See our Article How does Brexit affect your organisation’s data protection for more information.


Privasee does not hold the above article to constitute legal advice in any form.

More information can be found on the ICO Website

Sources and other articles

April 16, 2021

Frequently asked questions

Do I need to connect all my tools and third parties?

We never have access to any of your data, our platform is able to scan each tool and provide recommendations without needing to access any of the data within those tools.  There's no need for your dev' team to do anything, there are no security risks, just tell us the tools you use and we will do the rest.

What is the scope of my privacy policy?

Our policies are not just about my website or service. Once set up, our platform will help you map-out internal and external processes, such as HR, finance, and more!

Do I need to replace my current policy for the privacy portal?

We recommend replacing your current policy with our policy, this way you’ll remain compliant as your business changes and as the laws update.

Do I need help filling out my details?

Setting up is easy, just follow the on-screen commands and go through a few short steps to add your tools. You don't need any technical ability, anything you don't know the answer to you can ask us via our live chat or add later.

Why can’t I just use a template and add it to my website myself?

A template will not be applicable to your particular business as there are many things to consider for each tool you use. Also the template will not automatically update when changes happen in your business and when changes to GDPR laws are released. This can leave you vulnerable to breaking GDPR laws.

What if you don’t have the tools and third parties that I have?

We have a huge selection of tools pre-loaded and anything you don't see you can add directly from the platform as well as mapping data for any custom software you may use.

Which plan should I choose?

Our Essential Plan is perfect for people just getting started, small businesses, self-employed people and early stage companies. It allows you to get set up and start making your site GDPR compliant. You can move to our pro plan when you grow and your needs become more complex.

Our Pro Plan is aimed at SMEs and is our most popular plan as it includes everything you'll need such as a cookie banner, multiple languages as well as dedicated support.

Our Agency Plan is aimed at businesses that operate with clients needing GDPR solutions. The plan allows you to onboard clients as well as benefit from the Pro Plan for your own site.

Our Enterprise Plan is our most customisable and inclusive plan aimed at large, corporate businesses. We will essentially build you a bespoke plan with full maintenance support, onboarding classes and full company-wide access.

Feel free to get in touch to discuss our GDPR Compliance Software solution.

How easy is it to set up?

Signing up is super easy. The platform will ask you a few basic questions and then you can add your tools - don't worry if you don't know them all, you can come back and add tools at any point. The platform will then generate you the correct privacy policy based on your information, you can there share it directly on your site. That's it!

What size companies is Privasee aimed at?

Privasee has a plan for smaller companies as well as larger enterprise companies. For companies small to medium you can signup directly. For bigger enterprise companies get in touch with your requirements and our team will build you a bespoke plan.

I already have a privacy policy, do I need Privasee?

You have a legal responsibility to keep your policy up to date with every change in legal requirements for every tool you have. With Privasee you are always covered.

Still have questions?

Support details to capture customers that might be on the fence.