Is your business breaking the law?

Do you consider your business to be ethical, upstanding and law abiding?

Do your policies talk about employee respect, standards and behaviour, social media rules, drugs and alcohol?

Does your business abide by industry standard for health and safety, distance selling, kite marks, ISO standards, even PCI?

Most businesses will recognise and uphold many of the above without a second thought.

So why is breaking the law concerning GDPR acceptable?

The GDPR is law after all and not optional. But many organisations are choosing not to do anything about GDPR.

Comments like these are not uncommon about GDPR:

“project has had to take a back seat for now.”


“I’m taking care of more urgent things, but I imagine this will re-surface by itself sooner than later.”

So, from this we can assume at least for some businesses that GDPR might be important but they really don’t see it as something they should be prioritising.

We probably won’t get caught?

One big reason an organisation wouldn’t prioritise GDPR is because they don’t think they are going to get caught, and after all lots of people are doing little or nothing, so why should they?

And if you were a gambler you might think that approach had favourable odds.

Let’s consider breaking some other laws and see if we can draw some comparisons.


Most people who drive, do or have at some point broken the speed limit and therefore broken the law, it would seem to be a socially acceptable crime.

Texting, or talking directly into a mobile phone whilst driving

Most people should by now know that using a mobile in any way without hands free whilst driving is a criminal offence leading to a £200 fine and 6 points on a license. Anyone caught who has been driving less than 2 years will be banned from driving. With cheap Bluetooth headsets and almost all vehicles enabling phones to be connected there is no technical reason to have to do it. Yet we see people all the time either on their phone or texting whilst driving, even though the consequences and fines can be greater than those for speeding.


At the other end of the spectrum murder is unlikely to be acceptable to pretty much anyone reading this. But people do it.

So, we see that the appetite for breaking the law is a scale and everyone sites on it somewhere, and the same goes for organisations.

For some, GDPR might be seen as equivalent to speeding, in that it is low risk of getting caught and everyone does it so if we do get caught it’s just unlucky.

But, GDPR could be Murder for some

Consider the following.

A serious GDPR breach could put most organisations out of business – that’s equivalent to a life sentence.

A breach even if minor, where an organisation must publicly apologise in the press and or to affected individuals. IS NOT socially acceptable, see what happened to Talk Talk, Facebook, and more recently Marriot Hotels.

People vote with their feet.

ICO Fines businesses for not taking the Simplest Step towards GDPR

And if you still think you won’t get caught, or won’t get caught yet, or have time to get around to it, maybe talk to one of these organisations, currently in the ICO’s firing line.

“More than 900 notices of intent to fine have been issued by the ICO since September and more than 100 penalty notices are being issued in this first round.”


You might think you can get away without doing anything on GDPR, and certainly many organisations will do exactly that.

However, consider all the ways in which you might be exposed.

  • Your employees – particularly ex-employees
  • Contracts with other organisations
  • Your website privacy notice
  • ICO Registration
  • Your emails

All the above and more, are externally visible, outside of your organisation, and they all show you aren’t compliant yet.

Talk to us about our ‘good enough’ service, keeping you under the radar and on the right side of the law.

Contact us

If you would like to know more about how GDPR Auditing can help your organisation with the GDPR please contact us at or visit our contacts page.

The information provided in this post is for general information only and is not intended to provide legal advice.

© GDPR Auditing 2018.