Data regulator will not make example of small businesses over GDPR
The information watchdog has said it is not looking to make an example of small businesses which fall foul of the EU’s new data protection law.
On the day the General Data Protection Regulation (GDPR) comes into force – giving regulators new powers to fine firms which misuse data – the Federation of Small Businesses (FSB) warned that many of its members are still not properly compliant.
However, Information Commissioner Elizabeth Dunham, who is responsible for enforcing the new regulations, said they would not be expecting “perfection” from small firms from day one.
She said many smaller concerns would not be affected by the introduction of the GDPR.
“What we are looking for is a commitment to move forward with their new obligations. We are not looking for perfection,” she told BBC Radio 4’s Today programme.
“It is nonsense to think that the ICO (Information Commissioner’s Office) is going to be making early examples of small businesses by levying large fines.
“The focus of our enforcement is not going to be on the high street butcher or the gardening business. We are going to be focused on businesses that deliberately, persistently or negligently misuse data.”
Her comments came after the national chairman of the FSB, Mike Cherry, urged the ICO to show understanding in its handling of small firms.
“GDPR is here and the likelihood is that many of the UK’s 5.7 million smaller businesses will not be compliant,” he said.
“It is concerning that the burden and scale of the reforms have proven too much to handle for some of these businesses and there is now a real need for support among the small business community.
“It is imperative that the ICO initially deals with non-compliance in a light-touch manner as opposed to slapping small firms with fines.
“Small businesses must see the ICO as a safe space where they can go for advice and help in making the changes necessary to be compliant.”
Mr Cherry said he welcomed the ICO’s approach but warned: “The acid test will be whether good intentions are translated into actual practice on the ground.
“Fines and sanctions will only deter businesses, while education and support will ensure compliance across the sector.”
As the new regulation came into force, the ICO reported on Thursday that sections of its website were struggling with demand from users visiting with GDPR-related queries.
“We are experiencing unprecedented demand for our payment services as we approach the introduction of the GDPR, which is causing our online service to run more slowly than usual,” the regulator said in a tweet.
“You may contact us at a later date if you experience any delays using our online payment services.”