The General Data Protection Regulation: make sure you're prepared
Recently published research has suggested that two thirds of businesses are ‘unprepared’ for the upcoming introduction of the General Data Protection Regulation (GDPR). With this in mind, we take a look at the key principles of the new Regulation, and highlight strategies to help business owners comply with the new rules.
The GDPR: an overview
The GDPR is set to take effect from 25 May 2018, and will apply to all businesses in the UK, regardless of size or structure. It will require organisations to protect the personal information they process, and to have verified proof of such protection.
The Regulation places great emphasis on transparency and accountability, and will hold businesses accountable for safeguarding the collection, usage and storage of individuals’ personal data. It applies to organisations operating within the EU, and also to those offering goods or services to individuals who reside in the EU. The UK’s decision to leave the bloc will not affect the introduction of the GDPR, so ensuring that your business is prepared is vital.
What are the penalties for non-compliance?
Businesses who fail to comply with the new Regulation will be subject to stringent financial penalties, with fines costing up to €20 million, or up to 4% of total annual worldwide revenue, whichever is the greater.
What does it mean for my business?
Many businesses may already be compliant with regulations outlined by the Data Protection Act (DPA). However, whilst the new GDPR builds on existing rights imposed by the DPA, it also requires firms to provide documentary evidence of their compliance, and identify a ‘lawful basis’ for processing personal data.
Reviewing privacy notices
Businesses are urged to review any privacy notices they have and, where necessary, ensure that these are amended ahead of the introduction of the GDPR. The new rules require businesses to not only inform clients of their identity, but also explain their lawful basis for processing the information. Under the Regulation, data retention periods must also be outlined.
Allocating a sufficient budget
Businesses are urged to consider the financial impacts associated with GDPR compliance. Firms will need to review their current data protection practices, and align these to the new rules.
Doing so may prove costly. Those companies that process sensitive personal information, for example, will be required to implement more stringent procedures. The business’s size must also be taken into account when budgeting for the GDPR: for large businesses, assessing and altering data protection regulations might mean costs rise quickly.
Allocating a sufficient budget to GDPR compliance will help to mitigate the risks your firm faces.
Appointing a Data Protection Officer
Businesses may wish to designate a Data Protection Officer (DPO), who will be responsible for ensuring that the business is complying with the GDPR.
For most businesses, the appointment of a DPO is not compulsory. However, under the new rules, some types of businesses are required by law to designate a DPO. These include:
- public authorities
- organisations that carry out regular or systematic monitoring of individuals on a large scale; and
- organisations that process special categories of data on a large scale, such as health or criminal records.
Implementing adequate procedures for preventing data breaches
Ahead of the implementation of the Regulation, firms are advised to ensure that they have adequate procedures in place for detecting, reporting and investigating a personal data breach. The GDPR will introduce a new duty whereby firms will be required to report certain types of data breach to the Information Commissioner’s Office (ICO).
Businesses are urged to assess the types of personal data they hold: larger firms may wish to create new policies for handling data breaches, and communicate these with their employees.
The introduction of the GDPR will undoubtedly change the way in which businesses operate. Here, we have outlined just some of the measures that you should consider implementing into your business plan to ensure compliance with the GDPR. Further guidance can be found on the ICO’s website.