We’re about to see data protection rules undergo one of their biggest changes in two decades. On 25 May 2018, the new European General Data Protection Regulation (GDPR) will come into force (regardless of Brexit).
What is it?
The GDPR is Europe’s new framework for data protection. The EU’s GDPR website explains that the legislation is designed to harmonise data privacy laws across Europe and give greater protection and rights to individuals.
Within your business or organisation, it will change how you handle, use, interact with and store people’s data.
From a personal perspective, the new regulation will grant you control over all your personal data and ensure extra security and controls to protect that data.
Who will be affected?
As the updated regulation comes into effect, it will have an impact on organisations that obtain any data. In short, almost everyone will be affected.
The UK’s independent authority that will uphold GDPR, the Information Commissioner’s Office (ICO) has stated: ‘If you are currently subject to the DPA [Data Protection Act], it is likely that you will also be subject to the GDPR.’
Why the changes – and why now?
You may be wondering if there is too much focus on the new GDPR. After all, if it’s just an update of the current Data Protection Act, does your business really need to be making any changes?
It’s important to understand why these changes have come about and why they are happening now. Data is increasingly a high-class asset for companies worldwide. It pervades almost everything we do digitally, and as the business world grows ever more digital, it is important that companies stay compliant with GDPR.
What are the consequences of not complying?
To ensure we take these updated regulations seriously, penalties for non-compliance of €20 million, or 4% of your business’ annual turnover (whichever is higher), are being laid out as potential punishment.
This is at the discretion of the ICO, in its capacity as the UK’s independent authority to uphold information rights in the public interest. The ICO has also stated that fines under GDPR will be necessary, proportionate, and only ever applied as a last resort.
What do I need to do?
For your business to achieve compliance by 25 May, we strongly recommend that you start reviewing your privacy, data governance policies and procedures now, as well as the technology underpinning all of that. Treat this as an opportunity to assess your data strategy and how you can move towards modernising your technological infrastructure.
Steps to take your business in the right direction would include:
- Conducting an internal audit of processes across all departments
- Having a GDPR document that lays out what actions are taken to protect the data
- Identifying the data you hold on your customers, which could include their contact details or their business bank account information
- Checking your cyber-protection methods and ensuring you or your third-party providers have taken precautions, such as installing encryption software on all laptops, PCs and electronic devices used by you and your staff
- Appointing a data protection officer and establishing reporting procedures, so you know exactly how to respond to any data breaches
From these initial steps alone, it’s clear how vast the scope of GDPR is. Using these steps, you should get a sense of how close you are to being fully prepared. From there, you can start taking action.
We also recommend the ICO’s list of 12 steps to take now, which you can download here.
Helping you with GDPR
If you need help in identifying whether your business is GDPR compliant, a bespoke review is able from T-Tech: technology consultants and IT support providers for BKL. For further information, please get in touch with your usual BKL contact or use our enquiry form.