Skip To The Main Content

Data Protection

The Issue

Data has become more and more central to commercial activity in recent years. More than 9 in 10 small firms collect and use data for at least one vital commercial activity. Data enables smaller businesses to serve customers more effectively, deal with suppliers more efficiently, better target business activity to expand their operations and develop new innovative products, services and processes.

Personal data is one type of data that smaller firms utilise. However, the regulation of personal data has been significantly altered by the coming into force of the EU’s General Data Protection Regulation (GDPR). This has substantially increased the costs of dealing with personal data for smaller firms, placed tighter restrictions on the ability of smaller enterprises to efficiently utilise personal data and constrained their scope for innovating with personal data.      

The old data protection regime cost smaller businesses around £7 billion annually, to comply with. That equates to more than £1,200 per business a year on average. GDPR’s greater scope, complexity, poor design and drafting will make the ongoing costs for smaller businesses complying with the ‘updated’ data regulation framework much higher than £7 billion. In addition to the annual compliance costs, smaller firms have incurred a GDPR ‘implementation costs’ in the region of £6 billion.  

With data so ubiquitous and vital to business success, there is a need for some regulation of personal data in order to make sure there isn’t egregiously negligent use of it. Nevertheless, the data regulation regime in the UK is too onerous, it stifles competition and acts as a drag on innovation in smaller firms. Brexit is an opportunity to reform so that smaller firms to utilise data more effectively to enhance their competitiveness. It provides a chance to improve its quality through simplification, more bespoke drafting and greater discretion for businesses over meeting clear regulatory goals.   

 Action FSB has taken

While the GDPR was making its way through the EU’s institutions FSB lobbied MEPs and Member States to:

  • Ensure they understood what the potential implications of changes in data protection laws they were proposing on small firms would be.
  • Get the GDPR improved e.g. through small business exemptions from its onerous obligations wherever possible, to ensure small businesses do not suffer too much from changes to EU data protection laws.

Once passed by the EU, FSB lobbied MPs and peers and the Information Commissioner’s Office (ICO) to ensure that the GDPR’s worst excesses can be minimised through implementation that was sympathetic to the challenging circumstances of smaller businesses. Specifically, we argued that the ICO needs to develop and implement a comprehensive ‘partnership approach’ to its regulatory activity aimed at smaller firms. Such a regulatory policy would aim to create an open regulatory environment that helped spread best practice and learning and improvement among businesses. It should also include elements such as a risk-based and proportionate approach to surveillance and enforcement as well as the provision of small business focused support along with a formal ‘safe harbour’ policy for smaller firms so that they can be open about non-compliance and get support and advice about how to become compliant.   

Our Goal

FSB wants a data environment that allows smaller firms to thrive through a regulatory framework that does not unduly inhibit, and where possible encourages, technological adoption and innovation. Therefore, the UK’s data regulation laws need significant improvement. They need to be clearer and simpler, more flexible and be lower cost and less distorting.   

In the meantime, the impact of the current rules needs to be ameliorated where possible through the instigation of a ‘partnership approach’ to regulation that looks to ‘enable’ small business understanding and compliance through an open regulatory relationship between regulators and smaller businesses.      

Achievements in...



  • FSB published a detailed report into the extent and impact of GDPR preparations on and by smaller enterprises in early 2018. The report set out an agenda for changing how data regulation is implemented and enforced by the ICO through the introduction of a formal ‘partnership approach’ to regulating. It also outlined a direction for long-term reform, which would make data regulation in the UK more supportive of the competitiveness of smaller businesses.
  • We received assurances from the ICO that they would take a sympathetic approach to regulating smaller firms’ compliance with GDPR in the months after it was introduced, in light of the complexity of the law and the scale of the changes needed to be made by some smaller businesses.
  • In conjunction with the ICO, in the lead-up to the commencement of the GDPR, FSB ran an awareness campaign alongside offering an extensive range of compliance support to members.
  • In Brussels We lobbied to ensure most small firms which only process data as a secondary activity, or do not process any data at all, are exempt from some of the more onerous requirements i.e. conducting costly Data Protection Impact Assessments (DPIAs) and having a Data Protection Officer (DPO).

Visit UK/Westminster section

FSB Legal Hub

Factsheets and downloads for: Employment Law, Taxation Matters, Business Law and Health & Safety information. All free. As well as monthly bulletins.

Find out more

Related Links