Regardless of Brexit, the EU's General Data Protection Regulation (GDPR) will become effective in May 2018. Companies must prepare now to avoid hefty fines.
The EU's new data protection rules come into effect on 25th May 2018. However, many companies (particularly SMEs) have yet to prepare for the new regulations, while others are not aware of the revised legislation and what it means to their business.
Here, we take a look at GDPR and why it is important for businesses to act now in readiness to comply with the new rules.
What is this all about?
As the name suggests, GDPR is about regulating data - fundamentally, it is about how customer and employee data is managed and structured.
The revisions that GDPR introduces are designed to allow individuals to obtain greater access to information on how their data is processed; to easily move personal data between service providers; to allow individuals to request that personal data is erased if there is no legitimate reason for retaining it; and to give individuals the right to know when their information has been hacked.
This should make it easier for individuals to give informed consent for information they provide to be used for a specific purpose, to their benefit.
Why does it matter?
First off, understanding GDPR is important. Ignorance is not an excuse for non-compliance, and non-compliance can be punished severely.
YouGov recently revealed the results of a survey they carried out, stating that only 29 percent of UK businesses have begun preparations for GDPR. With only 10 months until GDPR comes into effect, many businesses are running out of time to bring themselves up-to-speed with not only understanding GDPR, but ensuring they have the right infrastructure to abide by the rules.
The most important thing to make business owners sit up and take notice of GDPR is the fact that non-compliance can be met with much bigger fines than they may previously have encountered, with the possibility of a massive fine of up to 4 percent of annual global turnover or €20m (whichever is greater) being slapped on their business.
And don't think that Britain's departure from the EU will mean you might be able to get away with being lax when it comes to applying the rules; Brexit won't happen before 2019 at the earliest, and there are many sources that state GDPR will form the basis for UK data protection policy in future.
There are obvious benefits to GDPR for those trading with the EU, though; for companies which trade across borders, the revisions to GDPR should lead to less bureaucracy, with clearer, simpler, more unified standards to work within, hence it will be easier to maintain a pan-European digital economy with strong data protection standards and security in place.
Further, the GDPR will establish a single European law for data protection, meaning companies only have to abide by one law in future rather than the 28 currently in place. According to the European Commission, this will bring efficiencies to the tune of approximately €2.3 billion per year.
It matters a lot to companies financially, but it equally matters to customers and employees of your business that their data is used appropriately.
What can be done to prepare for the new rules?
Preparing for GDPR means understanding how it might affect your business. Do you need to manage your data more effectively than at present? Could your company easily detect a data breach? Do you currently hold any data on individuals without their consent?
Understanding how you currently work with data - where it is all stored, who has access to it, where it might be shared - is the key to making sure that you meet the requirements of GDPR.
The Information Commissioner's Office (ICO) has created a checklist to run through in readiness for GDPR, which includes:
- Awareness: Ensure that all decision makers and key people in your organisation are aware of the GDPR— they need to appreciate its impact.
- Information You Hold: Document what personal data you hold, where it came from and whom you share it with. Also, organise an information audit.
- Communication of Privacy Information: Review your current privacy notices and put a plan in place for making any necessary GDPR changes.
- Individuals’ Rights: Check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.
- Subject Access Requests: Update your procedures and plan how you will handle requests within the new timescales and provide any extra information.
- Legal Basis for Processing Personal Data: Look at the various types of data processing you carry out, identify your legal basis for doing so and document it.
- Consent: Review how you are seeking, obtaining and recording consent and whether you need to take any changes.
- Children: Think about putting systems in place to verify individuals’ ages and to gather parental or guardian consent for the data processing activity.
- Data Breaches: Ensure you have the right procedures in place to detect, report and investigate data breaches.
- Data Protection by Design and Data Protection Impact Assessments: Familiarise yourself with the guidance the ICO has produced on Privacy Impact Assessments, and work out how and when to implement them.
- Data Protection Officers: Designate a DPO, if required, or someone to be responsible for data protection compliance, and assess where this role will sit within your organisation’s structure and governance arrangements.
- International: If your organisation operates internationally, you should determine which data protection supervisory authority you fall under.
For the very latest information and advice on GDPR, visit the ICO website's overview of GDPR.
Talk to us about cyber insurance
Complying with GDPR should make life easier in the long run, but there could be some short-term adjustment for your business to ensure compliance with the new rules.
Your business will have unique risks when it comes to storing and manipulating data, which sit alongside the other elements of trading in a digital world.
Online threats are ever-present, with data breaches, distributed denial of service (DDoS) attacks and malicious software (including malware and viruses) forming but some of the many risks of modern trading.
Coupled with this is the damage to a business' reputation of a cyber breach, which adds a double whammy to any financial impact of a cyber attack, too.
It could pay dividends to protect your business with appropriate cyber insurance. Contact Bollington on 0161 929 1851 to discuss how we can help with insurance to protect your business against these risks.