The way that businesses of all sizes deal with the data they hold is set to change profoundly in the next nine months when the European Union’s General Data Protection Regulation (GDPR) comes into force on 25 May 2018.
But as the countdown clock ticks increasingly loudly, there are concerns that many companies won’t be ready in time for the switchover and will end up facing crippling penalties as a result.
Despite ongoing Brexit negotiations and its impending exodus from the EU, the UK will uphold the new legislation – effectively replacing the 1998 Data Protection Act – as confirmed in the Queen’s Speech in June this year.
In essence GDPR’s introduction will harmonise data protection laws across the EU. At a practical level, GDPR will re-shape the rules about how organisations are required to look after personal data. The legislation is being introduced against a backdrop of increasing data breaches and thefts, including the ransomware attack which brought parts of the NHS to a standstill earlier this year.
Compliance across the board
All companies will be expected to comply with the new rules regarding the secure collection, storage and usage of personal information. At the heart of the move is the theme that individuals will be given greater control over their personal data, specifically in being able to access, delete and move it. The definition of personal data is expanded to include IP addresses, internet cookies and even DNA.
Failure by companies to operate within the new legal framework could bring financial penalties severe enough to force a company to its knees. In the UK, firms that suffer a serious data breach could be fined up to £17m (€20 million) or 4% of global turnover. That compares with the current maximum fine of £500,000 for breaking data protection laws.
In the UK, the Information Commissioner’s Office (ICO) will be granted greater powers to carry out investigations and impose sanctions. These powers include the ability to obtain “information from data controllers and processors, enter and inspect premises, carry out audits and require improvements”.
Start planning now
Guidance documents published by the ICO recommend to businesses that “it is essential to plan your approach to GDPR compliance now and to gain ‘buy in’ from key people in your organisation”.
Organisations dealing with high-risk data processing will have to carry out impact assessments to ensure they understand and are able to mitigate risks. Earlier this year, the Direct Marketing Association carried out research which indicates that nearly half of all businesses will not be ready in time for the GDPR.
To help prepare for GDPR, the ICO has produced a 12-point list of steps aimed at businesses to take straight away.
These include: ensuring that the decision makers and key people within any organisation are aware that the law is changing; carrying out a review of current privacy notices and planning for any necessary changes; and designating an appropriate person to take responsibility for data protection compliance while assessing where this role sits within your business’s structure.
Nine months is not that far away, so don’t put off your GDPR planning.