In just over eight months, one of the most far-reaching and comprehensive pieces of European regulation will change the face of how data is stored, handled and protected. The EU General Data Protection Regulation (GDPR) represents one of the most notable changes in worldwide privacy law in two decades and will call for businesses of all sizes to reinforce the processes and safeguards they have in place to protect sensitive data. Fail to do so, and substantial financial penalties will result.
May 25th is the key date for the business diary. This is when GDPR becomes law, and there is plenty to do in order to be ready for the new regime. Eight months really isn’t very long considering the potential enormity of the task that lies ahead.
GDPR – That’s not for me, is it?
GDPR applies to every business across the globe that provides goods and services to, or tracks or creates profiles of, EU citizens, regardless of whether or not that business is EU-based. Basically, if you do business with any EU based audience, you will need to comply with GDPR.
Whilst this is an EU regulation which will automatically fall away once the UK leaves the European Union, it is likely, according to UK government announcements, that the UK will adopt domestic legislation to retain it in whole or in part. So there is no Brexit related get-out clause.
The Regulation will increase expectations and rights concerning data privacy, and will push organisations to follow strict cyber security practices.
Non-compliance will result in hefty fines. Poor data security for example leading to public exposure of sensitive data, in other words a ‘serious violation’, could land a business with a fine of at least €20 million, or 4 per cent of global turnover, whichever is greater. Even less serious incidents would result in a fine of either €10 million being levied, or 2 per cent of global turnover.
Could your business survive a fine representing 2 per cent of turnover?
These new fines are considerably heftier than what the Information Commissioner’s Office is currently able to levy. If you take a look at some recent fines that hit the headlines, and calculate what they’d be under GDPR, it really does bring home the scale of the changes.
TalkTalk for example was fined £400,000 for security failings in 2016 after it allowed customer data to be accessed by hackers. If that fine were to be levied under GDPR, it would escalate to £59 million.
As a business, you have to consider how a fine representing 4 or even 2 per cent of your annual turnover would affect you. In many cases, the business would, quite simply, not survive.
How to prepare for GDPR?
So what should businesses be doing to prepare for GDPR? How to go about organising, managing and protecting data to ensure compliance and to be able to prove that valid efforts have been and are being made to fall in line with GDPR requirements?
A key place to start is with gaining an understanding of what GDPR is, and how it will affect your business. The Information Commissioner’s Office (ICO) has published a helpful, easy-to-follow 12-step guide to help you prepare.
The key takeaways from this guide are:
1. Ensure key personnel and decision makers are aware that GDPR will in many respects supersede the Data Protection Act. Make them aware that GDPR matters, and that it will have a direct impact upon the sales, marketing and operational elements of the business.
2. Start to document the personal data held by your business. Record where it came from, and who it is shared with. An information audit is a good idea; whilst it will take time to facilitate, it will be a worthwhile process.
3. Take a look at your existing privacy notices and be aware of whether they fall in line with GDPR requirements. Plan and introduce any necessary changes well ahead of 25th May 2018.
4. Check procedures to make sure they cover all individual’s rights. Include how personal data would be deleted or electronically transferred.
5. Ensure you have adequate procedures in place to detect, report and investigate a personal data breach.
6. Assign someone the role of managing data protection compliance and consider whether you must formally designate a Data Protection Officer.
The guide provides much more in-depth information and we would urge you to study it if you are starting out on your GDPR journey.
Your Cyber Security review
Something else you really are going to have to do ahead of GDPR is review your cyber security measures. Protection of sensitive personal data is crucial: it’s at the heart of the new Regulation.
Be sure to cover all potential cyber risk in-roads, and educate staff and everyone else with access to your network as to your official processes. Remember that in the event of a data leak situation, the Information Commissioner will be looking for evidence that you have taken practicable steps to comply with your obligations and protect sensitive data. Demonstrating your efforts in this area will help to mitigate the severity of the penalty.
At IQ in IT, cyber security is our core priority. With GDPR on the horizon, we’re making a point of ensuring our clients are ready in all respects to protect against data breaches, ransomware and virus attacks. To request your cyber security review, all you need to do is get in touch: we’re here to help protect your business.