GDPR has MPs in a bind

Documents in a shredderImage source, Getty Images

Across the UK, small businesses are in something of a panic over GDPR. And among those worried about whether they will be ready for the new data protection laws are 650 firms based in Westminster.

I am talking about MPs - and there is worrying evidence that they and their staff may be getting poor advice.

The issue was raised in the Commons yesterday by Labour MP Chris Bryant.

He tweeted this: "Just raised a point of order on the ludicrous exaggerated advice to MPs on the General Data Protection Regulation that we should delete all casework information from before June 2018."

Media caption,

WATCH: What is GDPR?

Mr Bryant told me that his staff had attended a GDPR training session organised by the House of Commons. It seems they were informed that the new law meant that they could not keep any information about constituency cases that had been completed. They came away with the impression that all data from before the last general election would have to be deleted.

The MP said this would make it impossible to do his job properly, comparing it to a doctor getting rid of all previous files on patients. "My constituents expect me to have their previous details when they visit."

It seems staff in some MPs' offices have already deleted old casework data, having been told that "all MPs are doing this".

But this morning, the Speaker responded to Chris Bryant's concerns, telling the House of Commons that it was not at all clear that the trainers had advised deletion of data.

Image source, UK Parliament
Image caption,
MP Chris Bryant

"Despite vigorous inquiry yesterday by the House Authorities and the contractor commissioned by the House Authorities to support Members and their staff, no trace has been found by those responsible of such advice having been given."

Earlier, one Conservative MP told me that his staff had not seen any need for mass deletion. He showed me a letter from the chairman of the Commons Administration Committee relaying what seems like more measured advice from the information commissioner.

The letter includes this line: "The impact of the GDPR should be limited if you are compliant with the current laws and regulations."

That should be comforting, although I suspect some MPs will be nervously asking their staff to just check what their data policy has been over the years.

While the advice on issues such as how to respond to requests from constituents to erase data is reasonably complex, the letter quotes the Information Commissioner's Office as saying they are "not going to be looking at perfection, we're going to be looking for commitment".

Nevertheless, many MPs may have been tempted to take a safety first approach - just like all those firms that have sent you an email asking for your consent to remain on their mailing lists, when it probably was not necessary.

You may say that the very people who have been examining the data protection legislation should be better informed. But they are among many small businesses still struggling to make their way through the fog of confusing advice.

There have been plenty of warnings about the huge fines awaiting those who fall foul of GDPR - perhaps that message from the information commissioner about not looking for perfection straight away needs to be reinforced.