If you’ve not yet heard the term GDPR (General Data Protection Regulation), you certainly well. As we approach May 25 2018, when this becomes law, the noise around it will grow.
Don’t stop reading now if the acronym seems boring and not relevant to you – it is, on both counts. What’s happening is a new law will come into play across Europe; Brexit or no Brexit, it will apply.
Yet this is not another year 2000-type hype where there was no impact or pain. The impact is already happening and the pain is going to get greater. If you’re not sure what the GDPR is or how it will affect your business, now’s the time to start paying attention. This is all about companies’ legal liability to protect data they hold on staff, customers, and in fact anywhere personal details are stored, and the impact – in other words, fines – that are going to ensue if you don’t.
This encompasses cloud, on premise, IoT and mobile. No matter where you store data, if it meets the criteria of personally identifiable and relevant information, then you need to comply. Ignorance will not be an excuse and will in fact put you in a far worse position; better you can demonstrate your diligence of action and how you have tried to mitigate any risk as a defence. It is good practice to be able to demonstrate that you have attended training, acted on the process recommended from it and tried to do the right thing; you have a far better chance of being treated leniently and worked with rather than against it should the worst happen.
There is a wealth of information and articles on GDPR available – yet many mostly quickly defer to complex detailed information and do not give clear and plain guidance as to what it means and what needs to be done. So let’s make this clear and simple in three buckets; why it is, what it is, and what you need to do.
Data is important and you have a legal responsibility to do certain things
Data breaches hit an all-time record high in 2016, with an increase of 40% over 2015. You may have already heard about some of the high profile names who had such breaches recently, from Three Mobile in the UK, French naval defence contractor DCNS, Vodafone in Germany, the Czech Ministry of Education, the Irish Department of Social and Family Affairs… we could go on, and it’s a certainty there will be more of these stories coming.
Data protection laws are long due an overhaul. For example, most Data Protection Acts have not been revisited since the late 90s at best, since when the world has changed radically through the internet, cloud and mobile changing the volume of interactions and data exchanges taking place.
What GDPR is
GDPR is the new law that requires from May 2018, any business that operates in the EU or handles the personal data of people that reside in the EU must implement a strong data protection policy to protect this client data. It is the EU’s way of giving customers more power over their data and less power to the organisations that collect and use such data for monetary gain. Businesses that fail to meet the new standard will face fines of up to 4% of global turnover or €20 million (£17.2m), whichever is larger, and businesses that suffer from a data breach without having adequate measures in place will suffer the same.
In other words, this is a law – something mandatory you need to take action on as a director of a firm with director liabilities and something that your customers care about. See this not as a threat but as an opportunity to get your ship in shape and proudly state to customers you have been on GDPR training and are taking action with processes to be a good, caring supplier. Consider putting a GDPR and ‘how we care for your data’ section on your website.
What action you need to take – and don’t panic!
You need to be prepared as a business to take action now and to mitigate the risks you face. Do not assume you are immune from a security leak of data and that you can deal with it afterwards. By taking action now you can help reduce the risk of it happening and by taking demonstrable action will provide you with a defensive protection should the worst happen.
The May 2018 deadline may seem a long way off at the moment, but businesses must act today in order to understand what it will take for them to achieve compliance, to have time to do it, and to do it without panic and fitting it in alongside your day to day running of the business. You need to get the ball rolling and have a plan of actions for your journey to GDPR, so that come 2018 you have no panic, no worries, and can assure your customers of your compliance.
There is much talk, for example, that every organisation will need to appoint a data protection officer, and that failure to do so will expose you to possible huge financial sanctions. In some cases this may be required, but you need to understand this now and the work out the most effective plan you can take to ensure you are compliant in the most effective manner for your business.
The last Information Commissioner’s Office (ICO) survey found that 75% of adults don’t trust businesses with their personal data; so as well as being legally compliant you can also utilise this in a positive way to assure your clients are assured in dealing with you.
You will find many offering three day courses and/or complex expensive consultancy, and whilst for some this may be appropriate, for most allocating someone in your business to own the process as a special project ownership, and then sending them on a day’s awareness and process training workshop now, will get you on the way with plenty of time to work it out well for your business.
Editor’s note: If you wish to know more and find out what sort of training options are available, check out gdpr.direct.