My Lords, I am grateful to all noble Lords who have spoken. I begin by thanking my noble friend Lady Neville-Rolfe, my predecessor in this role, for once again bringing the topic of small businesses to the House’s attention. Other noble Lords have extended that from small businesses to small organisations—indeed, even clans. While I am on the important subject of the clan, the noble Earl asked whether they would be classed as small organisations. I am sure that they are not small, but the answer is yes, they will be subject to the provisions of the GDPR.
The serious, general reason is that the GDPR, which is EU legislation which comes into direct effect on 25 May, is there to protect personal data. We must remember that the importance of protecting people’s personal data, particularly as it has developed since the most recent Data Protection Act was passed in 1998, has extended dramatically and concerns very personal items that belong to people. That is why it does not entirely matter whether it is a small or large organisation. Public authorities, such as parish councils, and other small organisations, such as charities, must take personal data seriously. They have obligations under the existing Act, but under the GDPR, they have more, and that is why. However, I and the Government instinctively support small organisations where we have it in our power to do so. I shall return to some of the specific points later.
I thank my noble friend for bringing this matter to the House’s attention and for coming to discuss it at length; I welcome this opportunity to provide some reassurance. As I have said at previous stages of the Bill, I wholeheartedly agree that the Government should recognise the concerns of the smallest organisations and continuously look at ways to support them through
the transition to a new data protection framework. The amendments tabled by my noble friend have all been designed with small organisations, charities and parish councils in mind.
Before I address each amendment in turn, I remind noble Lords that the Information Commissioner’s Office already produces a variety of supportive materials intended to help organisations of all sizes to navigate their way to data protection compliance. I strongly encourage businesses to consult these, and to make use of the commissioner’s new dedicated helpline, provided specifically for small organisations. I am pleased to say, in answer to my noble friend Lord Marlesford and, in part, to my noble friend Lord Deben, that the Information Commissioner has agreed to issue advice to parish councils, which will be published shortly. That is one of the organisations to which my noble friend referred. I understand exactly what he is saying, as I live in a small village and my wife is a parish councillor. I assure noble Lords that the issues of the Data Protection Act in relation to parish councils have been aired vociferously, and not only in this Chamber.
In addition, it is worth noting that the process for paying annual charges to the commissioner will become simpler and less burdensome, which I am sure will come as welcome news to small organisations—but we will return to that point shortly.
Amendment 106 would add a new clause that would give the Information Commissioner a duty to provide additional support to small businesses, charities and parish councils to meet their requirements under the GDPR. This may include, among other things, additional advice and discounted fees paid to the commissioner. I think that my noble friend Lord Marlesford, raised a point earlier on, and I hope that it will be helpful if I put it on record that parish councils can share duties like a data protection officer, which is a public authority that they have to have, under the GDPR, with other parish councils as well as with district councils. Parish clerks can also fulfil that role.
While I agree with my noble friend that small organisations should be supported to meet new obligations under the GDPR and this Bill, I cannot agree with the obligations that that would place on the commissioner. As I mentioned earlier, the commissioner has already published a wide breadth of guidance online and is continuing to develop this guidance as we near the date of GDPR implementation. I mentioned an example just now. Only recently, she updated her small business portal to make it easier for organisations to access GDPR-related resources. Given that the commissioner is already so active in this field, which the Government, and, I think, my noble friend fully support, I fear that additional prescriptive requirements would distract rather than contribute.