The UK’s small business community is still worryingly unprepared for new data protection regulations, according to new research from the Federation of Small Businesses (FSB).
The research, published today, shows that a third of small businesses have not started preparing for the introduction of the General Data Protection Regulation (GDPR) while a further third are only in the early stages of preparations. Only eight per cent of small businesses have completed their preparations.
For those small firms starting to prepare for the changes, just over half say they will approach the Information Commissioner’s Office (ICO) for advice.
Mike Cherry, FSB National Chairman, said: “The GDPR is the biggest shake-up in data protection to date and many small businesses will be concerned that the changes will be too much to handle. It’s clear that a large part of the small business community is still unaware of the steps that they need to take to comply and may be left playing catch-up.
“With less than 100 days until the changes come into force, the attention now shifts to the Information Commissioner’s Office and whether it can effectively manage the demands of small businesses seeking advice and guidance. It is vital that smaller firms looking for this support, either by phone or the web, are able to get it easily.”
It is likely that some small businesses will not be compliant ahead of the May deadline. It is important, therefore, that the ICO takes a proportionate approach to enforcement and supports firms towards compliance as opposed to resorting to fines.
Cherry continued: “Non-compliance must initially be dealt with in a light touch manner instead of handing down tough penalties. There must be a willingness to play a supportive role in ensuring that small businesses can and are able to comply. The ICO will be critical to creating an environment which focuses on education and prevention and not punishment.”
Information Commissioner, Elizabeth Denham, said: “I want to be clear that this law is not about fines; it’s about putting the consumer and citizen first, and rebalancing data relationships and trust between individuals and organisations.
“As regulator, we do have the power to impose larger fines under the GDPR, but we have access to lots of other tools that are well-suited to the task at hand, such as guiding, advising and educating organisations, and these are just as effective.
“The report tells us that many small and medium sized organisations are preparing for the new data protection laws but some still have to make a start. The ICO’s website offers a number of ways in which organisations of all sizes, and all sectors, can self-serve to get the help they need. We will study the survey findings carefully to see if we can improve the help we offer.
“We also know that many representative bodies and sector associations are also providing excellent GDPR advice and support for their members.”
Concerns around the pressures associated with complying with data protection regulations are still widespread among the small business community. 60 per cent of small businesses have reported lower profits due to complying with data protection and 31 per cent say that they have been forced to stop workforce expansion.
On average small firms will spend seven hours per month meeting their data protection obligations which equates to £1,075 per year. The direct cost of complying comes in at £508 per year. These costs will continue to grow with GDPR and further data protection regulation, such as ePrivacy, coming into force.
Cherry concluded by saying: “Small businesses do understand the need for, and the benefits of, data protection regulations. However, many struggle with the cumulative burden of the regulations and the costs that compliance brings both in time and money.
“In the long-term, the Government must consider undertaking a regulatory review with the aim being to minimize the negative consequences of regulating data and maximizing as many of the benefits access to, and use of, data can bring for smaller businesses.”