The EU General Data Protection Regulation (GDPR) is a new data privacy law being introduced in May next year to replace the outdated Data Protection Act, which came into force in the late 1990s before the dawn of the digital age.
It’s a complete overhaul of the legal requirements for anyone who handles the personal data of EU citizens and is aimed at giving people greater control of how businesses use information about them.
As with anything new, there is some confusion and misconception out there over the impact GDPR will have on businesses. In truth, the new regulation is a matter of evolution rather than revolution.
Most organisations will already have many of the new obligations covered off already, as a matter of common business sense.
The obligations of GDPR
Any organisation with more than 250 employees must adhere to the new rules. Yet that doesn’t mean that smaller businesses will be exempt. In fact, any business involved in regular “processing” of data – including collecting and storing data – must comply with GDPR.
As mentioned, much of the obligation of GDPR was covered off by previous legislation. However, there are a number of new responsibilities under GDPR, with the main ones as follows:
What are the risks to my business?
GDPR will be enforced by large fines for non-compliance – up to 20 million Euros or four per cent of a company’s global turnover. The other risks of data breaches, such as revenue loss, negative reputation, remediation cost, customer notification expense and loss of client trust, all still apply.
How can my business prepare for GDPR?
Many of the obligations will already be common practice within companies with solid data privacy and protection processes but mistakes are commonplace.
The first step in complying with GDPR’s requirements is understand if you are required to appoint a DPO – not necessarily a full time employee but potentially outsourced.
Terms and conditions, or privacy notices, will probably need updating to reflect new obligations to make individuals aware of their rights under GDPR as part of the data collection process.
Your business should also have clear plans in place for actions to be taken if a breach happens, working out what constitutes personal data, where it’s kept and who can access it, and the process for identifying breaches and reporting them.
You will also need to review historic data collection and whether those people opted in, or not. If not, you are liable for prosecution if you continue to use this data.
What next, and will it be affected by Brexit?
The UK will be a full member state of the EU when GDPR comes into force and indications suggest that we will continue to implement its principles following Brexit.
This issue raises an important point though, which is that it’s important to act now and start considering the implications of GDPR, regardless of the confusion over Brexit.
May 2018 is just around the corner and the potential consequences of not complying GDPR may be serious. We advise you to visit the ICO website at https://ico.org.uk/about-the-ico/our-information/our-strategies-and-plan...
This includes useful links including a checklist for you to follow in preparation. If you require further advice on this matter, please contact Venture Insurance