As the largest data protection changes in a generation, the General Data Protection Regulation (GDPR), comes into force today, there are concerns that many small businesses are still unprepared. The warning comes from the Federation of Small Businesses (FSB) alongside a call on the Information Commissioners’ Office (ICO) to take a sensible and proportionate approach to enforcement, particularly during the initial period.
Earlier in the year, research by FSB found that around two thirds (68%) of smaller businesses had either not started or were only in the initial stages of GDPR preparation. Worryingly, only eight per cent of small businesses had completed their preparations at that stage.
FSB National Chairman, Mike Cherry, said: “GDPR is here and the likelihood is that many of the UK’s 5.7 million smaller businesses will not be compliant. It is concerning that the burden and scale of the reforms have proven too much to handle for some of these businesses and there is now a real need for support among the small business community. It is imperative that the ICO initially deals with non-compliance in a light touch manner as opposed to slapping small firms with fines. Small businesses must see the ICO as a safe space where they can go for advice and help in making the changes necessary to be compliant.”
The ICO has reported that they have received more than 2,500 calls a week from small businesses, many raising their concerns on GDPR. In an appearance to the Brexit Select Committee earlier this month, the Information Commissioner Elizabeth Denham stated that she wouldn’t be a “bonkers regulator” in ensuring small businesses were compliant.
Responding to these findings, Cherry voiced his concerns about the ability and readiness of the ICO to manage the high volume of traffic expected to come its way. Cherry, said: “It is expected that the number of small businesses contacting the ICO will continue to rise as more and more continue their preparations for GDPR compliance. The ICO must be adequately and correctly resourced to manage these enquiries efficiently so that small firms aren’t made to wait for advice. I welcome the comments from the Information Commissioner, Elizabeth Denham, who stated that her focus would be on serious breaches and larger companies rather than small businesses. However the acid test will be whether good intentions are translated into actual practice on the ground.
“Fines and sanctions will only deter businesses, while education and support will ensure compliance across the sector.”
The new personal data protection laws will overhaul the processes that are involved for all businesses as to how they handle, store and protect data belonging to their customers.