Procurement · 25 May 2018

GDPR watchdog tells small businesses: “We are not looking for perfection”

ICO officers raided Cambridge Analytica offices in March 2018

The UK’s information commissioner has spoken to small business owners on the day of GDPR’s introduction to hint that the watchdog will focus on bigger players over high street employers.

Tough new data protection laws, through the EU-led GDPR directive, have today arrived after months of fraught anticipation, unanswered questions and consent request emails.

With top-line non-compliance fines threatening companies with fines up to £17m (or 4% of annual turnover, whichever is higher), business owners up and down the country have been scrambling to get their house in order and encourage their customers to opt-in to continued communications.

Even upon the eve of GDPR, many felt ill-equipped. Almost half of UK business owners anticipated a non-compliance fine, a recent survey found.

Since Business Advice spoke to the Forum of Private Business’ (FPB) director, Ian Cass, in the summer of 2017, its been clear that micro firms and sole traders have felt uninformed and unprepared for GDPR. “There are far more questions than answers at the moment,” Cass told us back then – a feeling that may still resonate with many entrepreneurs.

GDPR support for small firms
ICO helpline
Guide to the GDPR
GDPR checklist
12 steps to prepare now

However, the UK’s information commissioner, Elizabeth Denham, has now appealed to these fears with words of reassurance for small business owners on the day of GDPR’s legal enforcement.

Speaking to BBC Radio 4’s Today show, Denham said the ICO would only target persistent offenders, and suggested that efforts made towards compliance would see small firms treated proportionately by the regulator.

“Today is not a deadline. What we’re looking for is commitment to move forward to their new obligations. We are not looking for perfection. It’s nonsense to think the regulator is going to be making early examples of small businesses by levying large fines,” she told Today presenter Mishal Husain.

Denham did put to bed claims that the ICO may offer businesses a “grace period”, but said smaller employers could continue to trade as normal.

“The focus of our enforcement is not going to be the high street butchers, or the gardening business, and many of these organisations that are not data intensive are not going to be affected by this new law,” she explained.



Could your company detect a data breach before the GDPR hourglass empties?

Once a data breach is detected, you only have 72 hours to inform regulatory authorities, and they’re going to want to know all the “who, what, when and where” details about the exposed data.


“We are going to be focused on businesses that deliberately, persistently or negligently misuse data. That’s what people expect us to do.

“We don’t have thousands of inspectors going out there and checking people’s homework. But what we do have is millions of data subjects – millions of people and users that have new rights, and they can take a complaint against a company to our office.

“We are a proportionate (and) harms based regulator. We are going to be looking at issues that create harm and where companies are misusing the data.”

Denham used the case of Facebook and Cambridge Analytica to demonstrate the system of enforcement – while it can follow up individual complaints, the ICO is also prepared to take proactive steps to investigate.

She added: “Small business should not panic. If we had a complaint, if we had a data breach and a company came to us, then we would first look at whether they were on their compliance journey, if they were aware of what they needed to do, if they had safeguards in place to protect leakage of personal information. There are some really basic things companies should do to protect this important asset that is personal data.”

Denham told listeners that GDPR specialists would only be required for complex data arrangements, while “most small businesses can rely on the material that is available.”

Are you satisfied that the ICO has offered small businesses sufficient time and resources to prepare for GDPR? Let us know at

Sign up to our newsletter to get the latest from Business Advice.



Praseeda Nair is the editorial director of Business Advice, and its sister publication for growing businesses, Real Business. She's an impassioned advocate for women in leadership, and likes to profile business owners, advisors and experts in the field of entrepreneurship and management.

Work and Wellbeing