GDPR: The UK Information Commissioner writes to SMEs

  • 02 Apr 2018

By Elizabeth Denham, the UK Information Commissioner

May 25 is a landmark in data protection history, as the General Data Protection Regulation (GDPR) comes into effect, replacing the 1988 Data Protection Act (DPA). As the UK’s Information Commissioner, I’m excited to be part of this seminal shift in the privacy landscape.

Research suggests the SME sector is less prepared than others for the changes. We know that many small businesses are keen to get it right, but with so much misinformation out there it’s difficult for them to know what’s right and what’s not. 


It’s vital, therefore, that I address the fears that are permeating some small businesses. Some of this fear stems from them being sold myths as truths, and I want to tackle those to help small businesses get it right. 

I’ve already written a series of GDPR myth-busting blogs, published on the Information Commissioner’s Office (ICO) website, so I’m going to go back to the very first myth I busted. 

At a time when budgets are tight and technology is moving fast, fines are something that small organisations are particularly concerned about. Myth number one is that the biggest threat to organisations from the GDPR is massive fines. However, the fact is that this law is not about fines. It’s about putting the consumer and citizen first. We can’t lose sight of that.


It’s true we’ll have the power to impose fines much bigger than the £500,000 limit the DPA allowed us. It’s also true that companies are fearful of the maximum £17 million or 4 per cent of turnover allowed under the new law.

But it’s scaremongering to suggest that we’ll be making early examples of organisations for minor infringements, or that maximum fines will become the norm. The ICO’s commitment to guiding, advising and educating organisations around how to comply with the law will not change under GDPR. We have always preferred the carrot to the stick.

Issuing fines has always been, and will continue to be, a last resort. And we have yet to invoke our maximum powers.

Predictions of massive fines under GDPR that simply scale up penalties issued under the DPA are nonsense. Don’t get me wrong: the UK fought for increased powers when GDPR was drafted. Heavy fines for serious breaches reflect just how important personal data is in a 21st-century world. But we intend to use those powers proportionately.
And while fines may be the sledgehammer in our toolbox, we have access to lots of other tools that are just as effective.


Like the DPA, GDPR gives us a suite of sanctions to help organisations comply. While these won’t hit organisations in the pocket, their reputations will suffer a significant blow.

And you can’t insure against that.

Organisations are unique, and we want to help them understand what it means for them so that, whether they’re a micro-brewery with 20 staff or a tech start-up with 200, they can get it right.

The ICO website is packed with information for all organisations, including a package of tools aimed at small and micro businesses. For more information, visit; or access more compliance advice at

Related topics