Small UK business owners won’t have missed talk of General Data Protection Regulation (GDPR), but deepening uncertainty remains over how they will meet the demands of a new data protection bill in the absence of substantial government guidance.
On 8 August, the Department for Digital, Culture, Media & Sport (DDCMS) announced a new data protection bill to give consumers greater control of their online data. The bill, awaiting parliamentary scrutiny, puts the requirements of the EU’s GDPR into UK law and will be implemented on 25 May 2018.
Although Matthew Hancock, minister of state for digital, claimed both businesses and consumers would be protected, the bill was announced alongside non-compliance fines of up to £17m, or four per cent of annual turnover.
Ian Cass, chief executive of the Forum of Private Business (FPB), said Hancock’s comments gave small company owners “no comfort whatsoever”, due to uncertainty over obligations and fears of non-compliance.
While Cass agreed with the principles of GDPR, he said: “No one in power has thought about the small and micro businesses that make up 98 per cent of the UK’s 5.2m businesses.”
Business Advice got in touch with Cass to find out how the lack of clarity has occurred and what the growing dangers are of a misinformed debate.
The first suggestion is a the absence of practical small business guidance from the Department for Business, Energy and Industrial Strategy (BEIS).
“When you look for it, there is very little information out there. The obvious place for me to ask was BEIS – saying ‘there’s a huge piece of compliance coming in, do you have a simple guide that we can share with our members?’.”
BEIS was unable to share anything in the way of a tailored framework for small firms, stating guidance would be delivered at a later date. “Nobody seems to be saying what it means in simplistic forms,” Cass added.
Another organisation, which asked for anonymity, told Business Advice it had received a draft “guide to data sharing” circulated by BEIS, requesting feedback that would inform official guidance to be published once the new bill is introduced.
“Our current understanding is that the Data Protection Act 1998 (DPA) is due to be replaced from May 2018 under GDPR.
“While we do not expect that substantial change to the guide will be required, we are circulating this guide as a draft for comment.
“Our intention is to finalise the guide on replacement of the DPA.”
Many business owners will be hoping to make the necessary preparations for the new data protection bill prior to its day of introduction.
Since GDPR came into effect in March, the Information Commissioner’s Office (ICO) – the UK’s data protection authority – has already demonstrated the consequences of breaching regulation.
Two high-profile data protection cases saw airline Flybe and car manufacturer Honda left with £70,000 and £13,000 fines respectively for breaking marketing email guidelines – not an unrealistic scenario for a smaller company to find itself in. With the added scare factor of the headline threat of £17m non-compliance fines, business owners have become increasingly anxious.
“BEIS is in danger of creating complete inertia (among small firms). Small business owners are terrified of doing something wrong, and the perception is ‘we better not do anything until we find out’,” Cass warned.
With awareness low and fears mounting, the potential for so-called “GDPR experts” to exploit the knowledge vacuum is emerging.
“The hot thing at the moment is making money out of GDPR, with companies inviting small business owners to attend a conference, a workshop or a training session that costs £400,” Cass revealed. “But where is the government information on all of this?”
Cass echoed the four central concerns of new data protection rules recently articulated by the FPB.
Firstly, the implications of legislation have only reached large businesses with the resources to employ consultants, while the bill’s impact on small companies is yet to be clarified.
Secondly, the bill only seeks to change the way big businesses handle consumer data, ignoring how changes would affect small firms.
Thirdly, the FPB raised concerns over obtaining overt consent from prospective customers is unrealistic for small business owners dependent on email marketing lists in a world of electronic communication.
Finally, it claimed small and micro businesses already faced “disproportionate” costs in regulation compliance. With added pressures to train staff or purchase new tools, companies could face cash flow problems.
As proposed by the FPB, Cass emphasised the importance of an open dialogue between small business and government via a working group.
“There’s nothing to stop government getting a group of small business people and trade associations into a room to talk this through and pull something tangible together, but there doesn’t seem to be any sign of doing that. That would be the quickest and easiest solution to get some answers in place.
“The government doesn’t seem very eager to engage directly with small businesses and I think that’s exactly what they should be doing.”
Cass also questioned the commitment to the bill once Britain left the EU. Would the data protection bill in its current form represent long-term legislation or would be replaced? “There are far more questions than answers at the moment,” he added.
Take a look at these 15 considerations to have better data and device protection in the age of the Internet of Things
Sign up to our newsletter to get the latest from Business Advice.