You may not realise it but, effective next year, new rules are coming into force around Data Protection. These new rules will be known as General Data Protection Regulation (GDPR) and will commence on 25 May 2018. Despite being an EU initiative, the UK has also committed to the GDPR. Furthermore, recent research has highlighted that many East Midlands firms seem unaware of the new wide-ranging data protection rules.
Why is it important?
In short, GDPR is the biggest change in 25 years in how businesses process personal information. Furthermore, it replaces existing data protection laws. However, a recent YouGov survey highlighted that only three in every 10 (29%) have started preparing for this.
In addition, under the new rules, the maximum fine for UK data breaches will rise from £500,000 to €20million. Or 4% of global turnover if this is larger. Despite this, and the fact that virtually all businesses will be affected, only 38% are aware of these new rules.
Certain data breaches impacting on privacy must be given to the Regulator within 72 hours under the new regime. Other changes under the GDPR include an obligation to be more transparent about how personal data is used. Businesses will also need to have processes in place in case an individual asks for all their personal data to be erased.
This low level of awareness of GDPR is caused by a number of misconceptions about the new rules leading to a level of complacency. Fundamentally, these new rules will affect all businesses since they encompass a wide range of personal data including employee data, payroll and pension records. They also apply to data in a business context where individuals are concerned, such as sole traders and partnerships.
On the other hand, businesses taking a proactive approach could indeed reap financial benefits. At the end of the day, good data governance can build customer trust and the right permissions can also help businesses take advantage of the Big Data Revolution.
But what steps should each business take? These could include:
- Document what personal data the company holds, where it came from and who it is shared with. Firms may want to consider organising an information audit or speaking to a data expert.
- Review current privacy notices and plan for any necessary changes needed before the implementation deadline.
- Check procedures to ensure that they cover all the rights individuals have under the new rules, including how to delete personal data or provide data electronically if needed
- Review how the company seeks, obtains and records consent from individuals and whether any changes are necessary
- Ensure the right procedures are in place to detect, report and investigate a personal data breach, and
- Determine whether a Data Protection Officer is required. And, if so, designate one to take responsibility for data protection compliance and where it will sit within the organisation.
For more steps on preparing for the General Data Protection Regulation, businesses should revert to the Information Commissioner’s Office checklist. You can find out more about GDPR on the Information Commissioner’s Office website.
A positive step
The General Data Protection Regulation is intended to reflect modern working practices in the digital age, strengthening consumer trust and confidence in businesses. Furthermore, it will establish a single set of rules across Europe, making it simpler and cheaper for UK companies to do business across the continent, even after we leave the EU.
The existing data protection regulations were introduced in 1998. In the modern digital world we handle far more data, in many different ways. And we also move data across international borders more than we did. Business should use therefore use this as an opportunity to review how they handle data and ensure they do it in the most secure way.
Companies wanting to know more are encouraged to attend one of the many events being organised on this subject. Check out our events calendar for the latest listings.