ICO inundated with 1,500 GDPR calls a week

An IT consultancy’s countdown to the GDPR early this month seems to have shaken many – but not all – smaller businesses into GDPR-related action.

In a speech on the May 2018 framework, Information Commissioner Elizabeth Denham revealed that her office was now receiving 1,500 calls a week, solely about GDPR.

The callers are likely to be among the more than one third of ‘small firms’ (defined as having fewer than 250 staff) which know of the GDPR, but are “only in the early stages” of preparations.

'Hot Supply'

Almost as many SMEs have not even started their GDPR training or work, a FSB poll also shows, seeming to explain why GDPR consultants were last week said to be in “hot supply.”

“We’ve of course recognised that organisations with 250 staff or less face particular problems in understanding their obligations under the new law,” Denham said in her speech last week.

“We will continue to help. We will soon publish an overview – a roadmap -- of the Data Protection Bill in response to feedback that it was complex and confusing.”

'Hefty fines'

Already published is an ICO guide to a new data protection fee structure which ‘data controllers’ (outfits that decide the purpose for which people’s data is processed), must pay.

To be paid from May 25th, the fee is set to replace the requirement to ‘notify’ (or register), which is in the Data Protection Act, with “monetary penalties” potentially hitting non-payers.

However in her speech, Denham described the ICO as a “pragmatic regulator” and said “hefty fines will be reserved for those who wilfully or persistently flout the law.”

'Citizen first'

Reiterating the message to micro-businesses, whose new GDPR tools will be offered by the ICO next month, the commissioner said: “This law is not about fines; it’s about putting the consumer and citizen first.”

Her reassurance coincides with six tips from Delphix for data ‘controllers’ – or ‘processors’ like contractors – to help ensure the data in their test and reporting systems is GDPR-compliant.

'Unprepared'

However EfficientIP believes it’s all too late. It says that as it typically takes 99 days to detect a data breach, February 15th was actually the last day companies had to ensure real-world compliance with GDPR.

The networking firm explained: “Most companies breached after February 15th 2018 will only discover the attack after GDPR is in force, and will only have 72 hours to publicly disclose the breach.

“Companies could be put in a situation that would result in irreparable and lasting brand damage, loss of customer trust and loss of competitive advantage to name a few, if they are unprepared.”