ICO 'inundated' with SMB calls asking for GDPR guidance

The data watchdog's website is also experiencing outages as GDPR comes into force

The UK's data protection watchdog is receiving over 2,500 calls every week from small businesses seeking last-minute advice on how to comply with the General Data Protection Regulation (GDPR), it has emerged, many of which are queries around what data can and can't be processed.

The Information Commissioner's Office (ICO) website, which serves as an information portal for guidance on data protection law, has also experienced intermittent outages since Thursday, and is currently offline for maintenance at the time of writing.

Responsible for overseeing the protection of digital rights, the ICO suggested earlier this week that it faces a monumental challenge in dealing with requests from country's smallest businesses, particularly those that lack the necessary legal expertise.

"The ICO's biggest problem is going to be just dealing with those phone calls that come in, where the answer will 'no, it's fine to do this'," Nigel Houlden, head of technology policy at the ICO, said at a Westminster eForum panel event in London on Tuesday.

"That's from the companies as well, which is quite surprising. Our enquiries line is taking 2,500 phone calls a week, mostly from SMBs who are asking those types of questions. We are answering them."

While the regulator has introduced a helpline specifically for SMBs trying to comply with GDPR, it currently has a warning to any callers saying call wait times are exceeding one hour.

Houlden placed much of the blame on the mainstream media, suggesting that misinformation about the new data protection laws is being spread in the pursuit of flashy headlines.

"They don't understand it and they'd rather get a shiny glossy headline out of it, like 'GDPR just killed my Granny'," said Houlden. "I think it's down to us... to get out there and spread the word."

The new European data regulations have come into force as of today, marking a fundamental overhaul of the way data is processed throughout the EU. The new rules grant individuals greater powers over the way their data is handled by companies, which in most cases has required an overhaul of internal company processes in order to remain compliant.

Although the UK will soon be leaving the EU, a 2018 Data Protection Act that mirrors GDPR received Royal Assent this week, effectively enforcing the EU regulations in all but name.

Advertisement - Article continues below
Advertisement - Article continues below

Despite offering comprehensive guidance on how to adjust to the laws, the ICO admits companies have struggled to adjust ahead of the deadline.

"I think a lot of that comes down to education," said Houlden. "I think that's part of the ICO's responsibility. We certainly want to help educate the public, but we also want to help educate businesses."

Although GDPR is now in force, the ICO has made it clear that becoming compliant will be an ongoing exercise, and that only those who show an unwillingness to abide by the new regulations are likely to face the harshest regulatory action.

"We want companies to succeed," he added. "The ICO is not the big bad wolf we're not sitting there rubbing our hands together waiting for Friday going, 'haha, we're going to fine you lots of money'. That's not what we're about, that's not what we want to be. We believe in education."

The ICO has also urged companies to conduct data protection impact assessments (DPIAs), to spot any potential weak spots in their data protection measures.

"Keep hold of them, document them," said Houlden. "Should you for any reason require us to come knocking, they will be very useful. They are things we can take into account that you've tried to mitigate certain risks. They are not just a paper exercise. They are something we will take into account during any regulatory action we might have to take."

Advertisement - Article continues below

While the ICO is keen to work with companies rather than punish them, Houlden made it clear that those that are "willfully neglectful" will "feel the wrath of the ICO".

"The ICO will always be pragmatic," he added. "We're not here to kill industry. What we're here to do is just protect people's privacy, protect your rights."

If you're a small business looking for advice on what the new data protection regulations mean for you, we've put together a quick guide that's available here.

We've also put together a wider guide that's applicable for all businesses here, as well as a checklist on what you need to do to become compliant.

Image: Shutterstock

Featured Resources

Digitally perfecting the supply chain

How new technologies are being leveraged to transform the manufacturing supply chain

Download now

Three keys to maximise application migration and modernisation success

Harness the benefits that modernised applications can offer

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

The 3 approaches of Breach and Attack Simulation technologies

A guide to the nuances of BAS, helping you stay one step ahead of cyber criminals

Download now


digital transformation

Four ways CIOs can drive digital transformation

17 Jan 2020
Business strategy

CIO job description: What does a CIO do?

7 Jan 2020

How can you protect your business from crypto-ransomware?

4 Nov 2019
wifi & hotspots

How to boost your business Wi-Fi

22 Oct 2019

Most Popular

mergers and acquisitions

Xerox to nominate directors to HP's board – reports

22 Jan 2020
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
public sector

UK gov launches £300,000 SEN EdTech initiative

22 Jan 2020
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020