ICO 'inundated' with SMB calls asking for GDPR guidance

Europe at night

The UK's data protection watchdog is receiving over 2,500 calls every week from small businesses seeking last-minute advice on how to comply with the General Data Protection Regulation (GDPR), it has emerged, many of which are queries around what data can and can't be processed.

The Information Commissioner's Office (ICO) website, which serves as an information portal for guidance on data protection law, has also experienced intermittent outages since Thursday, and is currently offline for maintenance at the time of writing.

Responsible for overseeing the protection of digital rights, the ICO suggested earlier this week that it faces a monumental challenge in dealing with requests from country's smallest businesses, particularly those that lack the necessary legal expertise.

"The ICO's biggest problem is going to be just dealing with those phone calls that come in, where the answer will 'no, it's fine to do this'," Nigel Houlden, head of technology policy at the ICO, said at a Westminster eForum panel event in London on Tuesday.

"That's from the companies as well, which is quite surprising. Our enquiries line is taking 2,500 phone calls a week, mostly from SMBs who are asking those types of questions. We are answering them."

While the regulator has introduced a helpline specifically for SMBs trying to comply with GDPR, it currently has a warning to any callers saying call wait times are exceeding one hour.

Houlden placed much of the blame on the mainstream media, suggesting that misinformation about the new data protection laws is being spread in the pursuit of flashy headlines.

"They don't understand it and they'd rather get a shiny glossy headline out of it, like 'GDPR just killed my Granny'," said Houlden. "I think it's down to us... to get out there and spread the word."

The new European data regulations have come into force as of today, marking a fundamental overhaul of the way data is processed throughout the EU. The new rules grant individuals greater powers over the way their data is handled by companies, which in most cases has required an overhaul of internal company processes in order to remain compliant.

Although the UK will soon be leaving the EU, a 2018 Data Protection Act that mirrors GDPR received Royal Assent this week, effectively enforcing the EU regulations in all but name.

Despite offering comprehensive guidance on how to adjust to the laws, the ICO admits companies have struggled to adjust ahead of the deadline.

"I think a lot of that comes down to education," said Houlden. "I think that's part of the ICO's responsibility. We certainly want to help educate the public, but we also want to help educate businesses."

Although GDPR is now in force, the ICO has made it clear that becoming compliant will be an ongoing exercise, and that only those who show an unwillingness to abide by the new regulations are likely to face the harshest regulatory action.

"We want companies to succeed," he added. "The ICO is not the big bad wolf we're not sitting there rubbing our hands together waiting for Friday going, 'haha, we're going to fine you lots of money'. That's not what we're about, that's not what we want to be. We believe in education."

The ICO has also urged companies to conduct data protection impact assessments (DPIAs), to spot any potential weak spots in their data protection measures.

"Keep hold of them, document them," said Houlden. "Should you for any reason require us to come knocking, they will be very useful. They are things we can take into account that you've tried to mitigate certain risks. They are not just a paper exercise. They are something we will take into account during any regulatory action we might have to take."

While the ICO is keen to work with companies rather than punish them, Houlden made it clear that those that are "willfully neglectful" will "feel the wrath of the ICO".

"The ICO will always be pragmatic," he added. "We're not here to kill industry. What we're here to do is just protect people's privacy, protect your rights."

If you're a small business looking for advice on what the new data protection regulations mean for you, we've put together a quick guide that's available here.

We've also put together a wider guide that's applicable for all businesses here, as well as a checklist on what you need to do to become compliant.

Image: Shutterstock

Dale Walker

Dale Walker is the Managing Editor of ITPro, and its sibling sites CloudPro and ChannelPro. Dale has a keen interest in IT regulations, data protection, and cyber security. He spent a number of years reporting for ITPro from numerous domestic and international events, including IBM, Red Hat, Google, and has been a regular reporter for Microsoft's various yearly showcases, including Ignite.