Small businesses "worryingly unprepared" for GDPR, warns Federation of Small Businesses
GDPR compliance probably comes pretty far down the list of small business concerns
The majority of small businesses in the UK are unprepared for the new General Data Protection Regulation (GDPR), the Federation of Small Businesses has warned.
Its research suggests that one-third of small and medium-sized businesses have not updated their IT infrastructure and business updates in order to make sure that they comply with the GDPR before the deadline of 25 May 2018.
Meanwhile, a further 35 per cent of small and medium-sized businesses claim to have started their preparations, but admit that they haven't been completed yet. Just eight per cent claim to be ready.
Small businesses may have put off compliance projects due to the costs combined with other business pressures, such as paying for rapidly rising business rates on shops and other premises.
A large part of the small business community is still unaware of the steps that they need to take to comply
There are also cost and timeframe issues. Currently, small firms spend £1,075 per year and seven hours per month on data protection, the FSB estimates. GDPR compliance will add another £508 to this bill.
Furthermore, under GDPR small businesses could also be swamped with subject-access requests, which they will have to perform for free. This could be especially costly if they are targeted by social media campaigns, for one reason or another.
Mike Cherry, national chairman of the FSB, said that GDPR will present small businesses with the biggest changes in data protection for years.
But he warned that many of them will fall behind.
"GDPR is the biggest shake-up in data protection to date and many small businesses will be concerned that the changes will be too much to handle," he said.
This law is not about fines: it's about putting the consumer and citizen first
He continued: "It's clear that a large part of the small business community is still unaware of the steps that they need to take to comply and may be left playing catch-up.
"With less than 100 days until the changes come into force, attention now shifts to the Information Commissioner's Office (ICO) and whether it can effectively manage the demands of small businesses seeking advice and guidance.
"It is vital that smaller firms looking for this support, either by phone or the web, are able to get it easily."
The FSB expects many small businesses will fail to meet the 25 May deadline. Cherry believes that the ICO should do more to support these firms.
He continued: "Non-compliance must initially be dealt with in a light touch manner instead of handing down tough penalties.
"There must be a willingness to play a supportive role in ensuring that small businesses can, and are, able to comply. The ICO will be critical to creating an environment which focuses on education and prevention and not punishment."
Information Commissioner Elizabeth Denham said that companies should think about what the regulation means for their customers and citizens.
"I want to be clear that this law is not about fines: it's about putting the consumer and citizen first, and rebalancing data relationships and trust between individuals and organisations," she said.
"As regulator, we do have the power to impose larger fines under the GDPR, but we have access to lots of other tools that are well-suited to the task at hand, such as guiding, advising and educating organisations, and these are just as effective."