How we gather and use data and what happens to it is a major concern for the modern world. The way businesses and organisations use your personal and private information has been addressed to date by the introduction of legislation such as the Data Protection Directive from the EU. But there have always been issues about how robust this is in our increasingly digital lives.
According to the managing director of DQM GRC, Christine Andrews:
“Unfortunately, for too long, some organisations have presumed consent, worked with implied permission, and experienced data losses that have taken months to detect and report.”
In April 2016, the EU adopted the General Data Protection Regulation and it is set to become law in all member states on 25 May 2018, including the UK.
What is The General Data Protection Regulation?
The GDPR is essentially an updated version the existing Data Protection Act with added clarification and new levels of accountability. One big change is that any company outside the EU that is targeting consumers in the EU needs to comply with these data protection regulations. The other is the clarifying and strengthening of accountability – the regulation puts the onus on businesses and organisations to demonstrate that they are complying with the rules. This includes maintaining documentation, producing data impact assessments and being transparent about how they carry out data protection.
Some businesses and organisations will need to appoint a data protection officer with sufficient knowledge and experience to handle data protection issues and put the appropriate processes in place. The ability to withdraw consent easily for users and improving how they are made aware of their rights is also included in the new GDPR. The notification of data breaches is another important change and geared to making sure all organisations are transparent in their processes.
What it Means for Businesses
If you already adopt best practice when it comes to data handling, you probably don’t have much to worry about or much to do in regards to the new GDPR. If you still haven’t got your strategy or a transparent policy in place, then it’s time to start putting one together.
The GDPR is going to change the way that customers expect you to handle their data and getting on the wrong side of the regulation could well cost you in various ways including sanctions and a large fine – up to 4% of your business turnover or up to a £20 million.
While the regulation doesn’t come in until 2018, businesses need to prepare for the GDPR right now:
- The regulation makes it harder to get consent to use data and easier for consumers to withdraw that consent.
- The right to be forgotten is included.
- Businesses not only have to comply with the GDPR, they need to demonstrate that they are doing so.
- Your business may have to appoint a data protection officer if you fall into certain categories.
- There is a greater onus on businesses to protect all personal data better and report accurately and transparently on all breaches.
- While businesses might be vulnerable to sanctions from the ICO, the regulation may also open them up to claims from disgruntled consumers and users who feel their data has not been handled correctly.
The first thing businesses will need to do in the lead up to 2018 is to evaluate if they are within the catchment of the GDPR. For many this will be the case and that means there is plenty of work to do. You will have to review your current compliance, put in additional measures where needed and even arrange to hire a data protection officer. The biggest problem many businesses are going to face is creating a process for maintaining accurate records which could involve implementing new software as well as updating permissions, including the way they communicate with users.
The cost to UK businesses to comply with the GDPR could be as much as £320 million a year, according to a recent report by the Ministry of Justice. With as much as 70% of businesses stating that they will need to put in new IT systems in order to comply, the new regulations could cause a major drain on resources for organisations across the board. Large companies that deal with ‘big data’ will feel the impact of the GDPR more than any other. It could also impact on industries in different ways, particularly on advertising which has suggested potential losses of some £600 million over the next few years.
The Brexit Effect and GDPR
While leaving the EU and making our own rules might eventually exempt the UK from the GDPR, it’s more likely that we will retain the regulation for our own use and, indeed, the Government have already confirmed this is the case. The regulation applies to any business, wherever they are located, that operates in Europe or targets Europeans as customers.
The advice for all businesses that fall under the net of the GDPR is to start developing the right processes and procedures now rather than waiting until the regulation comes into effect.