We look at how UK organisations can prepare for the General Data Protection Regulation.
On 28 May 2018, the EU’s ambitious General Data Protection Regulation (GDPR) comes into force, with the aim of strengthening data privacy and protection for all EU citizens.
The regulation puts individuals firmly back in charge of their personal information and what happens to it. From sole traders working at home to giant multinational corporations, no one (except law enforcement and intelligence agencies) is exempt. But how well-prepared is the UK?
The regulation places significant new structures upon organisations, including:
- Having to build privacy into systems by design (and switched on by default);
- Conduct regular privacy impact assessments; implement stronger consent mechanisms (particularly when processing data pertaining to minors);
- Follow stricter procedures for reporting data breaches;
- Document any use of personal data in far more detail than previously.
Organisations failing to comply could face fines of up to €20m or 4% of annual turnover (whichever is greater).
UK firms unprepared for GDPR
There’s little reliable data on UK firms’ level of preparedness for GDPR, but anecdotal evidence suggests it’s nowhere near where it should be, with lack of awareness particularly acute among smaller businesses.
Chris Weston, a leading CIO turned independent digital technology adviser says: “Most of the companies I speak to are compliant with the Data Protection Act (DPA), but it comes as a shock when they learn they’re going to have to address data protection issues again in a way that significantly affects not just their technology but their business processes,” says Weston.
Greater awareness essential
While he says IT professionals, particularly those in larger companies, seem to be on top of the issue, Weston believes there needs to be a concerted effort to raise GDPR awareness among the general business community. “It’s urgent. I think we should be seeing a campaign of a similar scale to Y2K,” he says.
Security expert Brian Honan, who has long advised organisations on data protection issues, agrees that more effort is needed to raise awareness of GDPR requirements. “Although the ICO has a lot of good material on its website, there’s a lack of education from the government, and that vacuum is being filled by messages that aren’t always particularly helpful,” he says.
Honan adds that the EU General Data Protection Regulation is not primarily an IT project. “It’s a business project. IT can help implement controls and systems to protect privacy and ensure the security of data, but there are business processes that need to be put in place regarding subject access requests, ensuring privacy by design in all systems and services, privacy impact assessments, and so on. Businesses have to understand this can’t just be left to the CIO or IT director,” he says.
Brexit offers no GDPR get-out
A recent survey conducted by Crown Records Management, which suggested a quarter of UK businesses had cancelled GDPR preparation following the vote to leave the EU.
In fact, Brexit is likely to make little difference to the need for GDPR compliance among UK organisations. The UK will be a full EU member for at least 10 months following its introduction so therefore firms still need to be fully compliant by the deadline. In addition, the legislation is likely to be adopted wholesale when we leave. Even if it’s not, any company with EU-based customers will have to remain fully compliant.
As Fieldfisher’s Grant notes: “Post-Brexit, the UK will still want the rest of the world to consider it has an adequate data protection regime. It will be far easier for us to do that if we implement the GDPR as originally drafted and don’t relax any of its provisions.”
Compliance as a business differentiator
Rather than viewing the General Data Protection Regulation as another compliance burden, smart organisations should see it as an opportunity! Customers are increasingly likely to choose businesses that can show they take their customers’ data privacy seriously.
Source: Computer Weekly
Read more about the General Data Protection Regulation