GDPR: 'Don't panic!' data watchdog tells firms

By Tom Espiner
Business reporter, BBC News

Media caption,

WATCH: What is GDPR?

Tough new data protection laws come into effect on Friday that promise to bolster consumer rights.

But there are concerns that many firms have not done enough to prepare for the new rules, known as GDPR.

Big fines could be imposed on companies that "persistently, deliberately or negligently flout the regulations", the UK's data watchdog says.

But it told small businesses there is no need to panic and that it is "here to help".

What is GDPR?

The General Data Protection Regulation (GDPR) applies to all organisations that handle European Union citizens' data.

The rules give consumers new rights, including rights to find out what data is being held on them, and to delete that information, unless a firm has a good reason to keep it.

Companies now have to get consumers' explicit consent to use personal information, unless they have a lawful reason not to, and getting people to give more personal information in exchange for a premium service is not allowed.

Firms also have to meet higher standards for keeping data safe.

Many have been sending out emails asking people to renew their consent to receive marketing.

Image source, Getty Images/Urupong
Image caption,
The new laws will be good for consumers, says Which?

Are the rules good news for consumers?

Definitely, says the Which? consumer rights group.

"GDPR will strengthen your personal data rights, including the way companies handle your data and redress for misuse of that data," says Which? consumer rights expert Adam French.

"Companies will need to tell you exactly what you're signing up for and you will have more control when it comes to opting out of future communications.

"You will also have more opportunities to make a claim for damage caused by the misuse of your data," he says.

Ailidh Callander, legal officer for campaign group Privacy International, says the new rules have "been a long time coming".

"GDPR is an important step in the right direction," she says.

Why are companies concerned?

The penalties for wrongdoing could be quite hefty, especially for big companies.

The new rules give the Information Commissioner's Office (ICO) powers to fine firms up to €20m (£17.5m) or 4% of global annual turnover for serious breaches.

Many smaller firms may not be prepared for the regulations coming into force, business body the Federation of Small Businesses (FSB) says.

"GDPR is here and the likelihood is that many of the UK's 5.7 million smaller businesses will not be compliant," chairman Mike Cherry said.

He says the "burden and scale" of the reforms have proven too much to handle for some.

And he says many small firms fear the ICO will be heavy handed in dealing with non-compliance, "slapping" them with fines.

Image source, Getty Images
Image caption,
Firms could have to pay hefty fines for not complying with the new rules

What does the watchdog say?

Elizabeth Denham, the Information Commissioner, told BBC Radio 4's Today programme that small businesses which did not make extensive use of customer data would not come under close scrutiny.

Instead, the focus would be on big companies - particularly those in the technology sector - that "deliberately, persistently or negligently misuse data", she said.

While small businesses "should not panic" if they suffer a data breach, Ms Denham said there were some basic steps that companies should take to protect data.

As well as individuals being able to bring a complaint to the ICO, she said it could take action as it did in the case of Cambridge Analytica and Facebook.

She acknowledges there will be no grace period for businesses - the rules will be fully enforced from 25 May.

However, she says firms have had two years to prepare.

Are all businesses worried?

Business body the CBI believes many firms are ready for the new rules.

"You only need to look at your inbox to see businesses up and down the country are stepping up to make sure people are aware of their privacy policies," a CBI spokeswoman said.

But firms that aren't compliant "need to get their action plan sorted quickly", she said.

The ICO is ready to help, and businesses should also consider getting external legal advice, she said.

"GDPR marks a watershed moment in how businesses deal with people's data... How firms act with personal data goes right to the very core of trust in business."