On 25 May 2018, the General Data Protection Regulation (GDPR) will come into force, marking a milestone in data protection laws in the European Union (EU).
Under GDPR, a company may now be fined up to €20 million or four per cent of their annual global turnover for a data breach. The substantial financial penalties alongside the risk of reputational damage, a loss of consumer confidence, and a potential fall in stock prices mean that GDPR compliance needs to be taken seriously.
However, with just a year to go until the regulation comes into force, nearly half of businesses aren’t GDPR ready according to a report by Experian. There is the belief that GDPR focuses on data and technology and is, therefore, an IT issue rather than one which affects the whole business.
The reality of ignoring GDPR is a very different picture. Even if organisations think they’re prepared, they could be in for a rude awakening if they experience a breach or must face an audit – and will be subject to the consequences of non-compliance.
But does it apply to me?
The regulation applies to anyone trading in Europe, regardless of whether you’re headquartered in the EU or not. More generally, the new rules will mean tighter controls of the protection of data no matter where it’s sent, processed or stored. Any organisation or individual that processes data will be held responsible for its protection, even third parties you provide information to will be subject to GDPR.
Now that Article 50 has been triggered, and the UK is set to leave the EU, there’s much misunderstanding as to whether GDPR regulations will continue to apply. In fact, many businesses have ceased any further preparations for GDPR as a result of Brexit; a survey of UK IT decision makers has found 24 per cent are no longer preparing for the regulation.
However, as stated by Karen Bradley, Secretary of State “we will be members of the EU in 2018 and therefore it would be expected and quite normal for us to opt into the GDPR…” In spite of the UK’s decision to leave the EU, businesses will still need to adhere to the regulation if they want to trade with other European countries. The UK Information Commissioner’s Office has stated that it will follow GDPR for its future data protection best practices and all organisations will have to comply, regardless of Brexit.
What will change?
One of the biggest changes is that businesses could face significant financial penalties. This is dependent on the severity of the breach and a company’s ability to prove that it has adequate measures in place to protect data. On top of fines, organisations may also be required to pay customers damages in the event of data loss or theft. For example, a company can be fined two per cent for not having their records in order, not notifying the supervising authority and data subject about a breach, or not conducting an impact assessment.
Under GDPR, breach notification will become mandatory where a data breach is likely to “result in a risk for the rights and freedoms of individuals”. All data breaches have to be reported to the Information Commissioners Office within 72 hours – and customers also have to be notified “without undue delay”.
Another data subject right is ‘Data Erasure’. The right to be forgotten entitles the data subject to have their personal data erased, cease further dissemination of the data, and potentially have third parties halt processing of the data. And the conditions for consent have been strengthened; it must be provided in an intelligible and easily accessible form, using clear and plain language.
If your business handles ‘significant’ volumes of data you may also need to appoint a data protection officer to be responsible for managing data security processes.
How to prepare
As with any significant change in a business, thorough communication of what is happening and why – and support from the leadership team – is needed to drive cultural change. Without an accountability framework, monitoring processes, and ensuring that staff are educated and trained the business will struggle. Don’t delay – it’s time to pay attention to your data so you can meet the changing regulations and secure your business.