The ICO Is Not Hunting Your Business

Data Protection

The ICO Is Not Hunting Your Business

The ICO is not hiding in a hedge outside your office.

It is not wearing night vision goggles. It is not eating a meal deal in a parked van, waiting for Janet in accounts to send one spreadsheet to the wrong Steve.

Which, to be fair, is probably how half the UK economy currently functions.

But no.

The Information Commissioner’s Office is not hunting your business. And that is what makes this whole thing so irritating.

Everyone is reading the enforcement headlines. Almost nobody is reading the actual notices.

That matters, because the notices usually tell a much duller story than the headlines. Duller, but more useful. They do not read like spy thrillers. They read like management meetings that should have happened six months earlier.

They do not usually say, “You failed to buy a magic thing.”

They say, “You failed to run the business like an adult.”

I read twelve ICO enforcement notices against small organisations from the last eighteen months. Not the headlines. Not the LinkedIn panic posts. Not the vendor blogs with the subtle tone of, “Nice business you’ve got there, shame if something GDPR happened to it.”

The actual notices.

The same failures kept showing up.

Not exotic failures. Not advanced cyber threats. Not obscure legal traps. Not problems that needed a consultant, a framework, a webinar, a dashboard, and a logo refresh.

Just boring failures.

Which, naturally, are the ones businesses keep ignoring.

The first failure is the freeze

Something goes wrong.

An email goes to the wrong person. A file gets attached by mistake. A laptop disappears. A folder turns out to contain more personal data than anyone remembered. Someone finds a spreadsheet called “final final really final payroll old version” sitting in a shared drive from 2019.

That is not good.

But it is not always the real failure.

The real failure starts in the silence afterwards.

Nobody knows who owns the response. Nobody knows who starts the log. Nobody knows whether the clock has started. Nobody knows whether the ICO needs to be told. Nobody knows whether the affected person needs to be told.

Someone asks whether Outlook recall will fix it.

It will not.

Outlook recall is not a data protection strategy. It is a prayer with a ribbon menu.

This is where small organisations lose control. Not because the first mistake was catastrophic, but because nobody knows what happens next.

The boss assumes IT will deal with it. IT assumes management will decide whether it is reportable. HR assumes someone has told the directors. The directors assume there is a policy somewhere. The policy, if it exists, lives in SharePoint, unread, unloved, and probably last updated when fax machines still had career prospects.

Meanwhile, the clock is ticking.

The ICO’s small business guidance is not mysterious on this point. If a personal data breach is reportable, you need to act without undue delay and within 72 hours of becoming aware of it. You also need to keep records, even when you decide the breach does not need to be reported.

Yes, records.

Terrifyingly radical stuff.

A log. A named owner. A deputy. A short response process that tells people what to do when something goes wrong.

That does not need a compliance platform. It does not need a six month project. It does not need a steering group with pastries.

It needs someone to write down who does what.

Who receives the first report. Who records what happened. Who assesses the risk. Who talks to IT. Who talks to the insurer. Who updates senior management. Who contacts the ICO if needed. Who contacts the affected person if needed.

If that sounds too simple, good.

Simple is the point.

A breach response process is not meant to impress a barrister. It is meant to stop your business freezing like a rabbit in headlights when Janet sends payroll data to the wrong Steve.

The clerk is not the problem

This is where a lot of business owners get it wrong.

They think data protection training means telling staff not to be stupid.

That is not training. That is management having a tantrum after the horse has bolted, joined LinkedIn, and started a newsletter.

A finance clerk who emails payroll data to the wrong person does not need a lecture after the event. They needed practical training before it.

Most staff do not mishandle personal data because they are careless idiots. They mishandle it because the business has never explained what personal data looks like in the real world.

People hear “personal data” and think passports, medical records, bank details, or something dramatic in a locked filing cabinet.

It can be those things.

But it can also be a name. An email address. A phone number. A complaint record. A support ticket. A membership list. CCTV footage. Appointment details. Payroll notes. HR records. Supplier contacts. Customer histories. Delivery information. Website enquiries.

In other words, the stuff that moves through a normal business all day, every day.

If your staff do not understand that, they cannot spot a breach. If they cannot spot a breach, they cannot report it. If they cannot report it, management cannot assess the risk. If management cannot assess the risk, nobody can explain the decision later.

Congratulations. You have now turned a mistake into a governance problem.

And it was avoidable.

Staff training does not need to be a forty minute hostage video. It does not need stock photos of happy office people pointing at laminated nonsense. It does not need a quiz that everyone clicks through while eating a sandwich and quietly losing the will to live.

It needs examples from your business.

Show people what personal data looks like in your world. Show them a customer list. Show them a support ticket. Show them a payroll file. Show them an HR note. Show them an email thread that contains personal information. Show them the kind of thing they handle every week without thinking about it.

Then make the reporting route painfully clear.

If this happens, tell this person. Use this channel. Do it quickly. Do not sit on it. Do not try to fix it quietly. Do not delete things in a panic. Do not hope nobody notices.

And please, for the love of basic operational sanity, make one point very clear.

Do not hide it because you are embarrassed.

Embarrassment is cheaper than enforcement.

It is also cheaper than customer complaints, employee distrust, reputational damage, and the slow internal horror of realising that a small mistake became a serious issue because nobody wanted an awkward conversation.

The point of training is not to scare staff.

It is to make them useful when something goes wrong.

Because something will go wrong.

Someone will send the wrong file. Someone will copy the wrong person. Someone will upload the wrong list. Someone will lose a device. Someone will find old data that should have been deleted years ago.

The question is not whether mistakes happen.

The question is whether your people know what to do before the mistake becomes a full blown incident.

If the answer is no, that is not Janet’s fault.

That is management failure wearing a GDPR badge.

The business that cannot find its own data

Now we get to the phrase that makes owners go glassy eyed.

Record of processing activities.

I know.

It sounds like something invented to punish humanity. It sounds like a four hundred page legal document written by a procurement robot in a windowless room.

But at its simplest, it means this.

You know what personal data your business holds. You know why you hold it. You know where it lives. You know who can access it. You know who you share it with. You know how long you keep it. You know when it should be deleted. You know how you protect it.

In other words, you know your own business.

Radical stuff.

The ICO publishes templates for this. There is guidance for small and medium organisations. It is not hidden. It is not premium content. It is not locked behind a partner portal.

It is free.

And yet plenty of businesses still cannot answer basic questions about their own data.

Ask where staff records live and the answer is a tour of bad habits. Some are in HR software. Some are in SharePoint. Some are in email. Some are in payroll. Some are in a folder called “Old HR”. Some are on a manager’s desktop because “it was only temporary”, which is business language for “this will still be here in 2029”.

Ask how long customer records are kept and someone will say “as long as we need them”.

Lovely.

What does that mean?

Need them for what? Sales? Contracts? Complaints? Tax? Insurance? Legal defence? Nostalgia?

Ask who can access supplier bank details and watch the room start making the same face people make when the dentist says, “You may feel a little pressure.”

This is not bureaucracy.

This is stock control for trust.

You would not run a warehouse without knowing what was on the shelves. You would not run accounts without knowing who owes you money. You would not run payroll by shrugging and saying, “The numbers are probably somewhere.”

So why are businesses running on personal data they cannot locate, explain, justify, protect, or delete?

Because GDPR has been made to sound like legal fog.

Because too many owners hear data protection and switch off.

Because some providers have done a magnificent job of making normal business discipline sound like dark magic.

And because it is always easier to buy a shiny thing than admit nobody knows where the customer data lives.

The dashboard will not save you

Here is the bit that should make everyone uncomfortable.

None of this required a new vendor.

You did not need a new firewall to know who handles breach reporting.

You did not need endpoint detection to tell staff that payroll data is personal data.

You did not need a risk platform to know where customer information lives.

You needed a document. A conversation. A named owner. A bit of training. A spreadsheet that tells the truth.

That is it.

But businesses do not like that answer, because boring governance is not sexy.

It does not produce a green dashboard. It does not give you a certificate to staple to your ego. Nobody at a networking breakfast wants to say, “We spent Thursday afternoon agreeing who calls whom when Janet sends the wrong attachment.”

But that is exactly the work that stops a small mistake becoming a regulatory problem.

The compliance industry knows this.

Some of it is excellent. Some of it is genuinely useful. Some of it helps businesses that would otherwise drown in confusion.

And some of it makes a very good living from keeping small businesses terrified.

Not informed.

Terrified.

Because fear sells tools. Fear sells retainers. Fear sells templated packs that nobody reads. Fear sells the idea that data protection is too complex for ordinary businesses to understand.

Which is very convenient.

If the owner believes GDPR is a dark legal swamp, they will pay someone else to pretend it is under control.

Sometimes it is not under control.

Sometimes it is just outsourced confusion with nicer fonts.

That is how you end up with a business that has a compliance folder, but no breach process. A training certificate, but staff who cannot spot personal data. A privacy policy, but no clue where the data actually lives. A dashboard, but no ownership.

Smoke, meet exit.

The ICO is not where the story starts

Small businesses often talk about the ICO as if it roams the country looking for easy targets.

That is the wrong mental model.

Your real exposure is much closer to home.

It is the customer whose data was sent to the wrong place. The employee whose HR file was mishandled. The supplier who asks why their bank details were exposed. The person who complains because nobody told them what happened.

The ICO is usually not where the story starts.

The story starts with a person.

Someone whose data has been mishandled. Someone who asks why it happened. Someone who asks who has their information. Someone who asks why nobody told them. Someone who does not get a clear answer and decides to complain.

Once that complaint lands, you do not want your answer to be, “We were still trying to work out who owns the spreadsheet.”

That is not a good look.

That is not a defensible position.

That is the sound of a missing process becoming visible.

And this is where the real risk lives.

Not in the headline. Not in the fine. Not in the scary legal language.

The real risk lives in internal fog.

Your staff do not know what to report. Your managers do not know who owns it. Your directors do not know what data the business holds. Your IT provider gets called too late. Your HR files live in three SharePoint libraries, two mailboxes, one desktop folder called “Old HR”, and possibly Sharon’s downloads folder from 2019.

But sure.

Let’s have another meeting about artificial intelligence policy.

Do the dull work before the room goes quiet

This is fixable.

That is the annoying part.

A twenty person business could make serious progress this week without buying anything.

Someone can write the breach response process. One page is enough. Name the owner. Name the deputy. Explain how staff report an incident. Say where the log lives. Say who assesses risk. Say who contacts IT, the insurer, senior management, the ICO, and affected people when needed.

Then test it.

Ask someone what they would do if they sent a customer list to the wrong person. If they blink like a rabbit in headlights, the process has not landed.

Someone can train the staff.

Not with legal fog. Not by reading the policy aloud like a bedtime story from a tax tribunal. Use examples from the actual business. Show them payroll data, customer lists, HR notes, support tickets, CCTV, website enquiries, and email threads. Ask them what could go wrong. Ask them who they would tell. Ask them what they should avoid doing.

You are not trying to turn every employee into a data protection lawyer.

You are trying to stop people sitting on a breach for three days because they feel awkward.

That is the bar.

Clear it.

Someone can build the record of processing activities.

Start with the obvious places. Staff data, customer records, suppliers, payroll, accounts, marketing, support, CCTV, website forms, backups, email archives.

Then follow the trail.

Why do we have this data? Where does it live? Who can see it? Who do we send it to? How long do we keep it? What lawful basis supports it? How do we protect it? When should it be deleted?

This is not checkbox theatre.

This is basic operational control.

If you do not know what data you hold, you cannot protect it properly. If you do not know where it lives, you cannot secure it properly. If you do not know why you have it, you may not have the right to keep it. If you do not know when to delete it, you are probably building a future incident in slow motion.

The team meeting test

At your next team meeting, ask three questions.

If you accidentally sent personal data to the wrong person, who would you tell?

What information would you write down?

Where is our current list of the personal data we hold and why we hold it?

Then watch the room.

If people answer clearly, good.

If they hesitate, train them.

If they all look at the same person, document the process.

If the room goes quiet, that is the problem.

Not the ICO.

Not GDPR.

Not the lack of a shiny dashboard.

The silence.

Because the breach is only the moment your missing process becomes visible.

Read the notices before you buy the nonsense

The ICO notices are public.

Read three of them before your next management meeting.

Not because the ICO is coming for you.

Because it probably is not.

Read them because they show what small organisations keep getting wrong. Read them because the failures are painfully ordinary. Read them because the fixes are boring, free, and available this week.

No new platform.

No shiny consultant circus.

No regulatory theatre.

Just write it down.

Teach your people.

Know your data.

If that sounds too basic, congratulations.

You have just discovered why so many businesses still fail at it.

The ICO is not hunting your business.

But your customers, your employees, and your own records may expose it anyway.

And when they do, you will not wish you had bought another dashboard.

You will wish someone had asked the dull questions before the room went quiet.

Filed under

  • smb-security
  • uk-business
  • compliance-failure
  • business-risk
  • executive-security
  • incident-response