Time is running out. On 25 May 2018, the long-awaited EU General Data Protection Regulation (GDPR) will start being enforced. Despite the amount of noise surrounding the GDPR, it is apparent that many firms aren’t up to speed with what the GDPR means for their company, or how to prepare for it. Additionally, the current political and economic landscape is creating uncertainty and further distraction for UK businesses. The good news is there is still time, and getting to grips with the regulations now will ensure that your business isn’t impacted by the new legislation come May next year. In part one of this three-part blog series, NW Systems explain the core principles of the GDPR.
“So, what does the GDPR have to do with us?”
That’s the question that has resonated in boardrooms across the UK over the last 18 months with increasing intensity. The answer is quite a lot - if your business is holding Personally Identifiable Information (PII), as many do. New, smart technologies have resulted in a proliferation of data in businesses of all sizes, which has meant current data protection laws required a little tweaking. In simple terms, the GDPR is an updated version of the Data Protection Act (DPA) and aims to ensure the security and protection of PII. If your company stores personal data, then GDPR applies to you.
Preparing for GDPR
If you haven’t begun preparations, or if you are unsure how the regulation may affect your business, now is the time to start reviewing your data protection processes. This will be crucial to ensure business activities continue to function as normal. Failure to comply with the new regulations could result in large fines, such as €20m, or 4% of a company’s annual turnover, whichever is greater. The reputational damage of non-compliance could also be catastrophic. Many of the DPA’s core principles still apply, such as what data a business holds and where it came from. The key differences will come from issues such as:
1. Accountability - While under the original laws the responsibility for a breach sat primarily with the controller, under the new legislation this now sits with the controllers and processors. Firms must therefore begin looking beyond their four walls to ensure complete protection. For example, is a company’s suppliers also ensuring the technology or service they provide is adequately secured?
2. Consent - Some organisations may have become complacent regarding consent under the Data Protection Act, utilising personal data in a way that wasn’t originally intended when the data was first collected. It is vital businesses ask themselves:
- Has the original purpose for having the data changed?
- Are there any secondary reasons for data use that have arisen since the original purpose?
- Has the data been shared with third parties since it was initially obtained?
If any of the answers to the above questions are yes, the company may be in breach of the GDPR if the data subjects have not been kept informed of the changes in use, or the third parties are not GDPR compliant.
3. Territorial scope – The GDPR doesn’t only apply to those trading within the EU. International trading also applies if the data relates to an EU citizen residing in any member state. Furthermore, the regulations will still apply in the UK, despite Brexit.
4. Privacy notices – There is a requirement for businesses to inform data subjects of their rights and inform them of how their data is being utilised. They must also advise those potentially affected by a data breach within a certain time frame.
Of course, especially within smaller businesses, the expertise required to ensure GDPR compliance won’t always exist internally, leaving many headaches as to who will manage this process. The good news is that there are experts out there, many of whom can manage the process of data protection and compliance for you. At NW Systems, we can help your business prepare for the GDPR. There are severe consequences for non-compliance, but with the correct preparation, the new regulations could become an opportunity for increased security provisions within a business, instead of a regulatory burden.
Find out more: Best practice and compliance for your data security