GDPR and small businesses: overcoming the challenges

Author: Sonali Parekh, Policy Director, Federation of Small Businesses

In this comment piece for the Observatory's Data Fortnight, Sonali Parekh, the Federation of Small Businesses’ Policy Director, discusses the impact of GDPR on their members and the steps the Information Commissioner might continue to take to support small businesses through this change in regulation.

Smaller businesses understand that the regulation of personal data is important. It builds trust amongst current and future customers. It reassures them that their data won’t be abused or treated recklessly, thus reducing some of the risks that accrue to the generation or supply of personal data to a business. Such reassurance is likely to maintain – and even increase – levels of demand for products and services. Personal data regulation facilitates the conduct of basic business operations, such as the taking and making of payment, but it also has profound implications for business growth. Personal data is an indispensable complement to key drivers of business performance, such as market orientation, technological innovation and relational capital.

However the implementation of the General Data Protection Regulation (GDPR) is posing severe challenges for many smaller businesses. It will significantly increase regulatory demands, and there is a real risk that it will hamper the ability of smaller enterprises to innovate with data to enhance their competitiveness. In addition to the ongoing cost, GDPR comes with a £5 billion implementation bill for smaller firms, as they get ready for the new regime.

Our recent research – Data Ready – exposes just how unprepared many smaller businesses are. When we undertook the research earlier this year, almost a fifth of our smaller businesses (around one million smaller firms) were unaware of GDPR, with 34% (approximately 1.9 million smaller firms) being aware of GDPR but having little understanding about its requirements. And 35% of microbusinesses had not even started preparations for GDPR. Of those smaller firms who had undertaken steps to comply with GDPR, very few were at an advanced stage of preparation. These are sobering statistics.

The types of activities required for firms to comply with GDPR include: changes to internal business practices; increases to security of ICT; training; giving data protection responsibilities to an individual in a business; and data audits. Crucially, our research showed that over half of smaller businesses were looking – or were planning to look – to the Information Commissioner’s Office (ICO), for support on the implementation of GDPR.

Therefore, it is essential that the Government and the ICO act with well-designed measures to ameliorate the ‘implementation challenge’ to support smaller businesses. The setting up of the small business helpline is a step in the right direction. And we welcomed the additional Government funding made available recently for the ICO to run a campaign to raise awareness of GDPR amongst smaller businesses.

Whilst raising awareness is, of course, essential, alone it will not be enough.

So the FSB very much welcomes the Information Commissioner’s recent comments in Parliament: “I will work very hard to ensure that small businesses have the tools they need. My office gets 2,500 calls on our small business line every week. We have tools that we have issued. We are working with the Federation of Small Businesses to help them help their members. I am not a bonkers regulator, so our focus will not be on small business. We will take action if there are serious behaviours that have to be corrected, but the sanctions, the fines and the new powers for the Commissioner are so that we can take action against serious harm for individuals, especially by larger companies. That is what it is about.”

We need the ICO to take a proportionate approach to the enforcement of GDPR which will enable firms to improve their data protection practices by creating an environment which emphasises prevention and learning. Key proposals to deliver the approach suggested by Elizabeth Denham would be as follows:

  • Introducing a “safe harbour” policy – smaller firms should be empowered to report voluntarily on non-compliance, with the incentive that they will receive intensive support rather than sanctions. “Safe harbour” will encourage those small firms that are not compliant to come forward and get the advice they need. A presumption of “safe harbour” should be instituted for those smaller firms reporting a data breach, as required by the GDPR. Only a persistent failure to comply in the future, after the requisite support has been provided, should result in action against the firm.

  • Give smaller enterprises the opportunity to correct technical breaches, particularly when the resultant data risk is considered low. Enforcement action should not be considered unless there is a failure to correct the breach after a reasonable period of time. Therefore penalties and prosecutions for only the most egregious cases of negligence towards personal data

  • Government should cap (and reduce where possible) ICO fees for smaller firms Under the 2018 changes proposed by DCMS, a small design or marketing company, for example, could see their fee increase from around £35 currently to £100. This would add nearly a fifth to the direct financial cost that many smaller businesses already have to bear every year for dealing with personal data.

  • The ICO should improve their governance through a formal voice for small business at senior levels of the organisation. It is good practice for regulators to have a lay majority on their boards. The ICO should have a specific small business (lay) representative on its management board, representing more than 99% of the UK’s total business community. This will help the ICO better understand, and tailor its policies and activities towards, small businesses.