Data Protection Bill [HL] Debate
Full Debate: Read Full DebateLord Arbuthnot of Edrom
Main Page: Lord Arbuthnot of Edrom (Conservative - Life peer)Department Debates - View all Lord Arbuthnot of Edrom's debates with the Department for Digital, Culture, Media & Sport
(7 years, 1 month ago)
Lords ChamberI am grateful for the noble Baroness’s comments. Something certainly can be done to think more about turnover than the number of employees, otherwise there would be a big loophole, particularly around marketing and being able to set up a company to harvest data, for which the Act would not apply. It could then sell the data on. It would not need very many people at all to pursue that opportunity.
The other thing these amendments allow us to do is ask the Minister to enlighten us a little on his thinking about how the Information Commissioner’s role will develop. In particular, if it is to pursue the sorts of education activities set out in these amendments, how will it be resourced to do so? I know there are some career-limiting aspects for Ministers who promise resources from the Dispatch Box, but the more he can set out how that might work, the more welcome that would be.
My Lords, I declare my interests as a chairman of a charity and of a not-for-profit organisation, and as a director of some small businesses. Having said that, I agree with every word that my noble friend Lady Neville-Rolfe said.
The Association of Accounting Technicians has said that the notion that the GDPR will lead to a €2.3 billion cost saving for the European Union is absurd. I agree. The Federation of Small Businesses has said how a sole trader might have to pay £1,500 for the work needed, and someone with 25 employees might have to pay £20,000. In the Second Reading debate my noble friend Lord Marlesford talked about his parish council rather poignantly. It might be impossible to exempt organisations such as those from European Union regulations. But if that is so, I hope that my noble friend the Minister will say, first, why it is impossible; and, secondly, what we can do to get round and to ameliorate the various different issues raised.
On the duty to advise Parliament of the consequences of the Bill, I said at Second Reading that the regulator cannot issue guidance until the European Data Protection Board issues its guidance. That may not be until spring next year. This leaves businesses, charities and parish councils very little time, first, to make representations to Parliament; secondly, to bring in new procedures; and thirdly, to train the staff they will need. In that short time, organisations will all be competing for very skilled staff. That must push the price of those skilled staff up at a time when these small businesses will find it very difficult to pay.
I look forward with interest to hearing what my noble friend says, and I hope that he will be able to agree to the meeting that my noble friend asked for.
My Lords, I declare an interest as the editor of the Good Schools Guide. We have three employees and we certainly should come under this Act in terms of the data on people and schools that we have in our charge. It is very difficult to find any measure that describes the importance of data that a business holds other than, “How important is the data that you hold?”. Therefore, I look to my noble friend to explain how the Information Commissioner will not take sledgehammers to crack nuts and how they will genuinely look at how important the data you have under your control is and, given that, what efforts you ought to have made. That seems the right criterion to get a system that operates in a human way, where there is a wide element of giving people time to get up to speed and being human in the way you approach people, rather than immediately reaching for the fine.
However, this is important. This is our data. Just because I am dealing with someone small, I do not want them to be free from this. I want to be secure in the thought that if I am dealing with a small company my data is just as safe as if I had been dealing with someone big. I want to encourage small businesses to grow and to be able to reassure their customers that they are every bit as good. They would have terrible trouble having contracts with the NHS and others if they are not up to speed on this.
I do not think that is the way, but I do think we have to understand that this will be very difficult for small businesses. We have to look at how we might construct a set of resources that small businesses can use not only to get up to speed but to stay up to speed, because this is a constant issue. I draw your Lordships’ attention again to what is going on in Plymouth, where both universities, the FE colleges, the schools and the local authority, and a lot of the big businesses, have got together to construct apprenticeships in cybersecurity tailored to small businesses. Expert cybersecurity advice has been made available to small businesses in small chunks, while young people are trained in how to take the right path in cybersecurity rather than wandering off to the point where they get arrested if they visit the United States. There is scope for extending that in areas such as social marketing but also in data protection, where expertise tends to be concentrated in large organisations and a structure is needed that enables small businesses to have ready access to it. We could greatly enhance the employment prospects of a lot of young people, and improve life for our small businesses, if we talked to BEIS and the DfE about tweaking the requirements for apprenticeships to make it rather easier to run them in small businesses.