hero__bg
Back to all articles

What General Data Protection Regulation means for your business 

What General Data Protection Regulation means for your business

The new General Data Protection Regulation (GDPR) will come into play in May 2018, and you need to start preparing now.

If you haven’t already heard about the General Data Protection Regulation (GDPR), or you’ve heard of it but your organisation has yet to prepare for the upcoming changes in rules, now is the right time to start.

GDPR is an EU directive, but the Government has confirmed that it will implement the new law whatever form our withdrawal from Europe takes – so there is no point in delaying your strategy in the hope that Brexit will mean its disappearance.

GDPR sets the bar for how we and our organisations look after the personal data of our customers, our staff and ourselves

As Adrian Davis, managing director EMEA at security certification organisation (ISC)², notes: “Whether we like it or not, the European Union GDPR will be a part of the privacy and cybersecurity landscape for a while yet. GDPR will be a legal requirement before Brexit occurs – and, once we leave, we will still have to follow its obligations if we handle the personal data of EU citizens.

“But more than that, GDPR really sets the bar for how we and our organisations look after the personal data of our customers, our staff and ourselves – and sets the bar high.”

Meeting the deadline

The basic objective of the GDPR is to enforce stronger data security and privacy rules among organisations when it comes to protecting personal data. The law comes into effect in the UK in May 2018.

However, understanding the key elements; auditing current data protection measures at your organisation; documenting all the information you have; and ensuring all your data collection and procedures are GDPR-compliant, will be a lengthy process for any medium or large enterprise.

Smaller businesses may be concerned about their ability to cope with such a complex task; in which case, now is the time to seek out a third-party expert – such as a security firm, a current trusted partner or a consultancy – to help with the workload.

Firms will also need to ensure their security alert systems are equipped to spot and react to any break-ins quickly because, under the GDPR, data breaches will have to be reported within 72 hours. To keep up with all these extra requirements, businesses will also need to appoint a data protection officer, who is responsible for the way they handle and process personal data.

€20m fines

And why is this all so important? Because failure to comply with the new law can lead to a fine of up to €20m or 4pc of global annual turnover, whichever is greater.

The rules are also quite clear on the fact that whoever is responsible for the breach – whether an employee, a malicious attacker, or a partner or other third party – is irrelevant; it will be the organisation that foots the bill and suffers any consequent reputational damage.

Starting this journey sooner rather than later will minimise the risk of a fine, bad publicity or even a legal process

But there are also many compelling arguments in favour of GDPR. As Mr Davis explains: “GDPR can be used to achieve more than just compliance.

For example, you can use GDPR to adopt best practice around the handling, control and security of your organisation’s information; update and enhance your business processes; improve the quality and integrity of data you hold; and to rethink why and how you capture and use personal data of your customers, staff and leads.”

Hidden benefits

Meanwhile, independent cyber security expert Orlando Scott-Cowley notes that if your business is already regulated, for example by the FCA or PRA, then the number of required changes could be minimal.

“If you’re the type of business that operates under a best-practice model, or is accredited to certifications such as ISO 27001, it’s likely none of this will be too much of a hurdle,” he says.

“But if, like many organisations, this is all new to you, then you’ll have a larger hill to climb. Starting this journey sooner rather than later will minimise the risk of a fine, bad publicity or even a legal process should the worst happen and you’re not ready.

“Four per cent of your global annual turnover or €20m is a large price to pay for direct breaches of the GDPR principles, but even a minor breach is likely to cost you 2pc or €10m at the bare minimum.”

loader