Even 'one-man band' SMEs will be hit by new EU data protection regime, warn lawyers

Butchers, bakers, candlestick makers (and plumbers) will ALL be ruled by the General Data Protection Regulation

Even the smallest of small businesses will have to comply with the EU's forthcoming General Data Protection Regulation (GDPR), lawyer JP Buckley of DLA Piper warned in a Computing web seminar broadcast this week.

Buckley, appearing on an expert panel alongside Fujitsu's Frank Reichart, called on the government and the Information Commissioner's Office to do more to help small organisations to prepare for the GDPR.

This is expected to come into force in 2018, with an aggressive enforcement regime that will likely be progressively ratcheted up. Fines for non-compliance could be as high as four per cent of turnover, a sum that has the potential to wipe out the annual profit margin of many businesses.

"It won't apply [to small businesses] in the same degree in practice, and I think the likelihood of enforcement action taking place against a relatively small business is pretty low," said Buckley.

"However, I think there is a need for government and other agencies to publish an easy guide to the GDPR for small businesses. That would really help because there are things that will change," he said. In particular, ensuring data is secure will be especially important, he added, with the requirement that organisations notify customers as soon as possible should a breach occur.

But most small businesses don't have the resources to bring in lawyers and consultants to, at the very least, ensure that they are reasonably compliant.

"People need to understand what their obligations are and SMBs really don't want to have to go to lawyers or technical experts to do that. They want something that they can read, understand and apply themselves," said Buckley.

"The details of the GDPR won't be finalised until the spring and it will be another two years before it's implemented," said a spokesperson for the Information Commissioner's Office (ICO).

The ICO, they added, had already published an assessment tool for SMBs to cover current data protection laws, and would do again when the GDPR is implemented. SMEs, they noted, had also come under the purview of the current data protection regime.

While the potential bureaucracy has raised fears among SMBs that the GDPR could prove to be a disproportionate burden on small businesses, a November 2014 petition to Parliament garnered just 74 signatures.

"Some of the proposed changes which will seriously affect SME's include:

• A much higher standard of consent;
• Abolition of subject access request fees;
• Mandatory appointment of a Data Protection Officer;
• More severe fines and penalties for non-compliance;
• Tracking of IP addresses banned; and,
• Increase red tape for business.

We want to the government to look into these proposed changes and request more time to be spent considering the devastating effect on UK small business."

One concession for small businesses outside of the European Union includes the admission that simply running an e-commerce website that takes orders from people within the EU will not come under the purview of the GDPR.

Computing's web seminar, 'GDPR is Coming - Make the Most of It', was sponsored by Fujitsu and first broadcast online on Wednesday 3 February at 11am. Register for email alerts to be the first to find out about future Computing webinars and events.

Forthcoming web seminars include 'How To Build A DevOps Team That Really Makes A Difference' and 'IT Security and Ease of Use: Why Simplicity Makes For Better Business Security'