GDPR….or General Data Protection Regulation if you prefer, is coming. Are you ready? Well, if you’re a business owner or a key decision maker and you even know what it is then you’ve got a head start on around a third of your contemporaries in the UK, according to our research.
The biggest change to data protection in 20 years
For those of you who aren’t yet familiar with the potentially business-changing EU regulations coming into force next month, let me enlighten you (but also, where have you actually been?). GDPR was adopted into law by the EU Parliament in April 2016 and, from May 25, 2018, it will apply to all companies processing and holding the personal data of people who live in the EU, regardless of where the business is located. It was designed to make sure that data privacy was standardised across Europe, to protect citizens’ data privacy and to reshape the way that businesses right across the region think about and implement data privacy.
The GDPR will completely overhaul how businesses process and handle data. It’s the biggest change to data protection rules in decades and it’s come about because the old system was deemed no longer fit for purpose given the vast amounts of data and personal information many firms now have access to following digital advancements over the past 20 years.
The penalties for failing to comply are potentially enormous and could have serious consequences for many businesses. Organisations that fail to meet the regulation can be fined up to 4% of their annual global turnover, up to a maximum of 20 million Euros. And don’t think that Brexit will save you either, because not only has the UK government decided to enshrine the new legislation in to the UK statute book, but a large number of UK businesses already do, and will continue to, handle the data of EU citizens – Brexit or no Brexit – and, therefore, will have to comply.
Take a breath, there’s nothing to be scared about here
So that’s the lesson out of the way. You’re probably asking now: “What do we have to do about it?” Before we get into that, let’s take a deep breath and try not to panic. There is plenty of scaremongering going on when it comes to GDPR and as the countdown to May 2018 continues, it’s a topic that’s likely to earn even more column inches. Remember, just a little while back, Elizabeth Denham, the UK’s information commissioner who is in charge of data protection enforcement, described GDPR as “an evolution in data protection, not a burdensome revolution”.
Feeling better? You should, because for businesses and organisations already complying with existing UK data protection laws – and Litmos Heroes research found that 6% admit that they currently don’t – that should be the case. For those diligent businesses, getting GDPR-ready should be little more than a matter of reviewing existing processes and making a couple of enhancements. It could still mean a lot of work, however, and plenty of UK businesses have recognised this. In fact, almost a quarter have employed someone just to make sure they comply in May.
And this is an important point. According to the ever-helpful GDPR.report website, the first step towards GDPR compliance is to establish an accountability and governance framework. It suggests that:
“The board must understand the implications of the GDPR in order to support the project and allocate the resources required to complete it. A director will also need to be assigned accountability for the GDPR, and data protection risk will need to be incorporated into the corporate risk management and internal control framework. A person or team must control this project, and they will need a significant understanding of both the business and the GDPR.”
How to get your company ready for May 25th
Well. There are, of course, many ways to accomplish the same goal, but the GDPR.report website suggests that:
“Once the GDPR team is aware of the ins and outs of the Regulation, it will need to work out what parts of the business fall within the scope of the GDPR (business units, territories and jurisdictions) and identify which standards and management systems may be affected or could contribute to GDPR compliance. Conduct a data protection impact assessment (DPIA) – DPIAs help organisations identify, assess and mitigate or minimise privacy risks with data processing activities. They’re particularly relevant when a new data processing
system, process or technology is being introduced so that you can implement privacy by design.”
Our recent research paints a worrying picture but, as Elizabeth Denham added in one of her blog posts:
“This law is……about putting the consumer and citizen first. We can’t lose sight of that. Focusing on big fines makes for great headlines, but thinking that GDPR is about crippling financial punishment misses the point. It’s scaremongering to suggest that we’ll be making early examples of organisations for minor infringements or that maximum fines will become the norm.”
If you get your house in order, follow a series of simple steps and…more importantly, start the process as early as possible, it might just be that GDPR isn’t quite as scary as you thought it might be. Get started by downloading this free training video to incorporate into your own training.