GDPR: ‘Don’t panic!’ data watchdog tells firms

Tough new data protection laws come into effect on Friday that promise to bolster consumer rights.

But there are concerns that many firms have not done enough to prepare for the new rules, known as GDPR.

Big fines could be imposed on companies that “persistently, deliberately or negligently flout the regulations”, the UK’s data watchdog says.

But it told small businesses there is no need to panic and that it is “here to help”.

Elizabeth Denham, the Information Commissioner, told BBC Radio 4’s Today programme that small businesses which did not make extensive use of customer data would not come under close scrutiny.

Instead, the focus would be on big companies – particularly those in the technology sector – that “deliberately, persistently or negligently misuse data”, she said.

While small businesses “should not panic” if they suffer a data breach, Ms Denham said there were some basic steps that companies should take to protect data.

As well as individuals being able to bring a complaint to the ICO, she said it could take action as it did in the case of Cambridge Analytica and Facebook.

She acknowledges there will be no grace period for businesses – the rules will be fully enforced from 25 May.

However, she says firms have had two years to prepare.

Business body the CBI believes many firms are ready for the new rules.

“You only need to look at your inbox to see businesses up and down the country are stepping up to make sure people are aware of their privacy policies,” a CBI spokeswoman said.

But firms that aren’t compliant “need to get their action plan sorted quickly”, she said.

The ICO is ready to help, and businesses should also consider getting external legal advice, she said.

“GDPR marks a watershed moment in how businesses deal with people’s data… How firms act with personal data goes right to the very core of trust in business.”

The penalties for wrongdoing could be quite hefty, especially for big companies.

The new rules give the Information Commissioner’s Office (ICO) powers to fine firms up to €20m (£17.5m) or 4% of global annual turnover for serious breaches.

Many smaller firms may not be prepared for the regulations coming into force, business body the Federation of Small Businesses (FSB) says.

“GDPR is here and the likelihood is that many of the UK’s 5.7 million smaller businesses will not be compliant,” chairman Mike Cherry said.

He says the “burden and scale” of the reforms have proven too much to handle for some.