Nick Richards gives us a few tips to prepare for the incoming GDPR changes.
If you haven’t yet heard of the GDPR, then by 25 May 2018 you certainly will have. GDPR stands for General Data Protection Regulation, and is being introduced to address modern concerns over data protection in the digital age.
The way we use data has evolved significantly over the past 20 years. Those four little letters are bringing about big changes for businesses – specifically in relation to how personal data is acquired and dealt with.
The GDPR is all about protecting the rights of individuals, with data use and responsibility at its core. The new legislation will replace the Data Protection Act 1998 and firmly puts the burden of proof on businesses, whilst empowering individuals to take control of their data.
The price for failing to be GDPR-compliant is high – hefty fines await those who fail to meet the new standards. The maximum penalty for breaching GDPR is €20m or 4% of a business’s global revenue, whichever is greater.
Add to this the associated reputational damage for your business following a data breach, and it becomes clear why becoming compliant for the GDPR rollout in May 2018 is absolutely essential.
Who will be affected?
In 2016, telecommunications company TalkTalk was fined £400,000 for failing to prevent a cyber-attack which allowed the attacker to access customer data. Should this happen after 25 May 2018, TalkTalk would be fined £74m under the new General Data Protection Regulation. That’s a consequential 18,000% increase.
The more revenue your business makes the more you will be liable to pay. To put into context, the biggest technology company in the world right now could face fines of up to €760m if they don’t comply with new GDPR.
The new data protection laws will affect all types of business, and its impact will undoubtedly be felt in HR and the education sector.
Click here to take the TJ survey and get three months free digital subscription to TJ plus the chance to win an Amazon Echo
If you have a presence in the EU, operate in the EU, or use the data of EU customers, then you will be affected by the GDPR when it comes into force. And Brexit doesn’t mean UK businesses can escape the reach of the GDPR either; the Information Commissioner’s Office has already confirmed the GDPR will be UK law by the time Brexit takes place.
If you outsource data processing, you’ll also need to ensure compliance throughout the entire supply chain too. As businesses increasingly rely on networks and outsourced technology such as cloud computing, good supply chain management has become critical.
The impact of GDPR on business
Several different areas of a business will be affected by the GDPR. For employers or providers of HR products, the GDPR poses some particular challenges.
Employers must make their employees aware of how their personal data will be processed, how long their data will be kept on record for, whether their data will be shared overseas and how they can request access to the data held for them or even request a deletion.
The new regulation introduces an employee’s right to erasure or ‘right to be forgotten’, which could pose challenging to employers who store information on inaccessible or complex systems.
Colleges, universities and adult education bodies are being urged to move to ‘data protection by design’ systems now, in anticipation of GDPR and the volume of existing data they hold on their students. On campus, it will no longer be acceptable to offer wi-fi access in exchange for consent to marketing materials, as is currently often the case.
Take these steps to compliance
A recent YouGov survey found that only 29% of UK business had started preparing for GDPR. But remember: when it comes to GDPR compliance, doing nothing simply isn’t an option.
Here are some steps you can take to improve your GDPR compliance:
- Audit your existing data. What current data do you hold? From names and email addresses, to health information or web browsing information, know what you’re working with.
- Map the existing flow of personal data through supply chains. Know where data is going and how it’s being dealt with.
- Hire a data protection officer. If you process data on a large scale or have more than 250 employees, you’re going to need one.
- Create a GDPR team. Include individuals with IT and legal expertise, and a representative from every team that handles data.
- Carry out gap analysis. Look at where the problem areas are and how you can fix them to become GDPR compliant.
- Invest and prioritise. Being GDPR compliant is a business cost, plain and simple.
- Document everything. Aside from being compliant, you need to prove you are compliant. Keep records of when data was gathered and how explicit consent was given.
- Be prepared for a breach. Under GDPR all business are required to report a data breach within 72 hours of becoming aware of one. Be aware of the effect a data breach could have on your customers and your business, and understand the impact of a breach before it even happens with regular data privacy impact assessments. Get a crisis plan in place now.
Prepare for GDPR compliance now to protect your business, avoid significant revenue loss and retain your customers’ trust by the time May 2018 arrives.
About the author