Don’t get caught out, start planning now
The General Data Protection Regulation (GDPR) is the new data protection legislation from the EU. It’s coming into effect on 25 May 2018, so stick it in your calendar. This is something that is going to affect your business, so it is important that you make the changes by the time this date rolls around.
The last time the EU introduced new data protection laws was in 1995. John Major was the Prime Minister, Google didn’t exist and neither did social media. Over 20 years later, the technological landscape is almost unrecognisable and new regulations are quite overdue.
The government has clearly stated that all businesses will have to take responsibility for being compliant and that Brexit has no bearing on it. GDPR applies to all businesses who are located in the EU or engage with data subjects that reside in the EU (regardless of where the business itself is located). They have laid out that it is the data that needs to be compliant and that the data controller is responsible for the security of data.
This set of new rules replaces the existing Data Protection Act (DPA) of 1998 and is set to be even stricter with regards to privacy and data security. This doesn’t mean that you need to panic. Information Commissioner Elizabeth Denham described the GDPR as “an evolution, not a revolution.” If you are currently following the regulations set out in the DPA, then the GDPR will not be much of a leap for your organisation.
Tougher on data controllers
Companies and organisations that deal with the personal information of people are known as data controllers. As controllers of data and therefore liable, there are penalties imposed for non-compliance, and failures to report breaches in data in accordance with the regulations. There are two levels of fines under the GDPR:
- The first level goes up to €10 million or 2% of the global annual turnover of your business for the previous financial year, whichever number is higher.
- The second level is up to €20 million or 4% of your annual global turnover for the previous financial year, again whichever is the higher number.
Compare this to the fines under the DPA and you can see that the GDPR is going to hit companies much harder for data breaches. Under the DPA, the maximum a company could be fined is only £500,000. This will hopefully make companies more vigilant and prevent large data breaches from occurring, of which there have been quite a few over the last decade.
How you can prepare
Those fines look eye-watering but do not panic. The ICO and the EU are making sure your company is fully prepared for the changes. There are several handy resources available to help your business to prepare for 25 May 2018:
- The official EU GDPR website.
- The Information Commissioners Office (ICO) website.
- The ICO also have a useful blog that helps to defy some of the myths around GDPR.
- Plus, the ICO has a 12 steps document that is designed to show you how to be ready for 25 May 2018.
- The ICO also has some self-assessment documents that you might find useful to see how your efforts are coming along.
- The most recent article from the ICO also focuses specifically on helping SMEs.
It is down to each and every individual company to take responsibility for their own GDPR compliance, so make sure you’re preparing in advance of 25 May 2018. Remember that GDPR is “an evolution, not a revolution” and you’ve got all of the resources to make compliance a simple process for your company.