Small businesses and GDPR: don’t let words from the regulator lull you into a false sense of security

Small businesses were taking comfort from words of re-assurance from the UK privacy regulator, but that does not mean they don’t need to worry about GDPR, suggest experts.

“It is nonsense to think that the ICO (Information Commissioner’s Office) is going to be making early examples of small businesses by levying large fines,” suggested Elizabeth Denham, the Information Commissioner on the day GDPR becomes enforceable.

And those words gave comfort to small business owners, but Ardi Kolah, a director of the GDPR Transition Programme at Henley School pointed out that of the six million or so small businesses in the UK “the vast majority aren’t involved in processing high or very risky personal data and shouldn’t panic.”

Ms Denham “was focusing on risk management,” suggested Abigail Dubiniecki, also from the Henley Business School’s GDPR Transition Programme and Specialist in data privacy at My Inhouse Lawyer.

Ms Denham said: “The focus of our enforcement is not going to be on the high street butcher or the gardening business. We are going to be focused on businesses that deliberately, persistently or negligently misuse data.”

But that is not the same thing as saying all small businesses can take a relaxed attitude towards GDPR.

“You don’t have to be big too cause harm.  Just one guy was behind the tools used by Cambridge Analytica,” explained Ms Dubiniecki. She explained further that a small business focusing on say search engine optimisation could cause massive harm with inappropriate use of data. So it’s not the size of the business that matters, it’s what it does.

Mr Kolah expressed a similar idea. “Liz Denham is right when she makes the point about not looking to chase down those companies where what they don’t present the risk of harm or damage to their customers, clients or employees.”

Ms Denham did say, however, that the ICO is not looking for perfection from small businesses. “What we are looking for is a commitment to move forward with their new obligations. We are not looking for perfection.”


Registration now OPEN for PrivSec Global
Taking place across four days from 30 Nov to 3 Dec, PrivSec Global, will be the largest data protection, privacy and security event of 2020.

Reserve your place today and gain access to the entire event free of charge. With all sessions available to view live or on-demand, you can build a personalised agenda based on your key focus topics and make the event fit around your work schedule.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.