Small firms could “fall foul” of new General Data Protection Regulation

(Picture: Brian Lawless/PA Wire)

(Picture: Brian Lawless/PA Wire) - Credit: PA

Ignorance will not be bliss for small firms if they find themselves falling foul of new data protection rules, businesses have been warned.

It is less than a year until the European General Data Protection Regulation (GDPR), which governs the recording and use of personal information, comes into force, and companies large and small are shoring up their digital defences in preparation.

But David Howell, Norfolk branch chair of the Federation of Small Businesses (FSB), said smaller operations are at greater risk of being penalised for breaches due to a lack of understanding of the legislation.

Mr Howell, a director at Values Training Services in Watton, said: 'It may be more detailed than they think. I do not think it will be a big expense for small businesses, but they may fall foul of the legislation and end up being fined.

'With everything else that is going on at the moment people have put it on the back-burner. They have to be looking to the future now to start implementing data protection into their day-to-day practises.'

Simon Lunness, who runs Holray Booking System with wife Rachel, said their firm will be classed as a 'data processor' under GDPR, bringing it into the remit of data protection legislation for the first time.

In preparation, the Norwich-based company, whose online booking service is used by Broads boat hire firms including Herbert Woods, upgraded its anti-virus software and computer operating systems and integrated hard drive encryption on all mobile devices.

Most Read

Mr and Mrs Lunness have also signed up for voluntary courses on software penetration testing and GDPR, and are trying for accreditation from cyber security organisation APMG International.

Despite being 'indignant' about the changes at first, Mr Lunness said the couple have come to see it as an opportunity to review their data recording practises.

'It is a sensible set of precautions, a sensible way of treating people's data,' he said.

Kitty Rosser, associate at law firm Birketts, said: 'Businesses are starting to realise that ignorance is not going to be a defence and that they have to get their processes in order.'

She added that small tech companies with limited resources could be among the worst hit. 'For us here it is a very thriving sector but unfortunately they are the ones that are going to struggle.'

Victoria Spellman, partner at Goatelee solicitors in Ipswich, said businesses needed to understand how breaches of the legislation could impact them with the power of subject access requests, where a person can request what data is being held by an organisation on them and how it is used, being bolstered.

She said: 'There is a requirement for businesses to report breaches to the commissioner themselves within 72 hours, so there will be a self-outing system which can then trigger an audit.

'Keeping on top of the data a business holds is going to be very important as failing to respond to a subject access request can trigger the higher level of fine, up to 20m euro or 4% of turnover.'

Become a Supporter

This newspaper has been a central part of community life for many years. Our industry faces testing times, which is why we're asking for your support. Every contribution will help us continue to produce local journalism that makes a measurable difference to our community.

Become a Supporter