UK businesses have until 25th May 2018 to make sure they are compliant with the requirements laid down by the EU’s General Data Protection Regulation (GDPR).
The GDPR is concerned with the protection of personal data, and is designed to reinforce existing regulations surrounding data privacy.
The law will give EU citizens greater control over what happens to their personal data when businesses get hold of it. In effect, the law aims to strengthen consumer’s rights while setting standards for best practice.
When the new regulations come into force, businesses must get consent before they use the personal data of any private EU citizen. Come the deadline, businesses must be able to demonstrate compliance. Fines for non-compliance will be hefty to say the least. So, as of 25th May 2018, laxity will be out.
- Why is the GDPR being brought in?
The EU has recognised a need to rationalise and standardise the data protection laws currently in place across different EU nations, ensuring consistency and a shared legal framework. The UK’s Data Protection Act 1998 (DPA) is outdated, when we consider how far technologies have advanced since its introduction. This new data protection law will bolster, not replace, the 1998 Act.
Today, we live out our lives online. The more we do so, the more our personal data is stored and used by businesses, which increases the risk of that data being compromised. Any business or organisation can fall victim to a cyber-attack. Only a few months ago, a ransomware cyber-attack wreaked havoc on a global scale, demonstrating how such attacks are becoming increasingly sophisticated. With businesses handling ‘sensitive data’ all the time, data privacy is of growing importance.
- Who does the GDPR apply to specifically?
The GDPR applies to public and private sector businesses operating within the EU that are processing data, and to any business outside the EU that trades with businesses or individuals inside the EU. On the ground, it is the responsibility of the data controller or data processor to be cognizant of the delicacies involved in the handling of personal data, whether that be clients, customers, or staff.
- Are small businesses exempt?
The GDPR does still apply for small businesses. The regulations apply to any commercial entity involved in the processing of personal data. This will include SMEs, as they are still involved in the collecting, storing and sharing of personal information. However, there are concessions for businesses which employ fewer than 250 people.
- What about Brexit?
The government has made clear that Brexit will not affect the implementation of the GDPR in the UK. Even after the UK breaks formally from the EU, full compliance from UK businesses will remain necessary, and will continue to be so unless stated otherwise. The GDPR applies to any business which handles the personal data of EU citizens, irrespective of whether they are in an EU member state or not.
- What should your business do now?
Any changes a business, large or small, needs to make may be significant. We advise businesses to act now to ensure they are prepared when deadline day arrives. The next 12 months should be used to prepare for the deadline next May, while businesses who have already started preparing for GDPR compliance must continue to do so.
For most businesses, the first move should be to appoint a Data Protection Officer or a Data Controller. This can be handled in-house or outsourced. The next step is to review the way in which your business collects, stores and handles personal data, and identify whether any processes need to be overhauled.
Data breach laws will also be more rigorous when GDPR is introduced. If a data security breach occurs, compromising an individual’s data protection rights, the Data Controller must inform the relevant authority within 72 hours.
- Why your business should embrace GDPR
Some businesses may consider the GDPR a burden. On the contrary, the new law should benefit businesses as much as individuals. Once in operation, if an individual does not want a business to use their data, they don’t have to give consent. An individual is more likely to give their consent to their data being used if they trust the business concerned. Businesses which put their customers first and provide a good service will be rewarded by those customers, who will be more likely to offer consent for their data being used. Businesses not regarded as trustworthy or who fail to comply with the regulations will be penalised. This is also a good opportunity for businesses to use data efficiently and creatively, while being accountable to their customers.
If the GDPR is treated as an opportunity and not as a burden by businesses, they should be rewarded.
For more information about the EU’s GDPR, click HERE.
Tags: B2B Services
, Data Analytics
, Professional Services