Can you afford a fine of €100k for not having the correct data protection processes in place?

This is what happened to a company in Finland and it could happen to you here in the UK!! 

Posti Oy, the leading postal services in Finland, was reported by individuals to the Data Protection Ombudsman for having received communications and direct marketing from various companies after making change-of-address notifications to Posti Oy. The investigation carried out by the Office of the Data Protection Ombudsman revealed that Posti Oy had not informed the data subjects of their rights, including the right to object to the disclosure of data, in connection with making change-of-address notifications.

The company should have informed its customers clearly about their right to object to the processing of their personal data. Interestingly, only customers who bought additional services as well as making the change-of-address would receive a notification.

Posti Oy had communicated to the Data Protection Ombudsman, in 2017, that it would look into possibilities for improving the transparency of personal data processing. The company finally improved its practices 2020, only after the Office of the Data Protection Ombudsman had solicited them again.

The violations affected 161,000 customers in 2019 alone.

The sanctions board has imposed an administrative fine of EUR 100,000 on Posti Oy.