How can UK businesses prepare for the EU GDPR data law changes?
14 March 2017
After more than three years of discussion, the EU General Data Protection Regulation, otherwise known as the GDPR, is now approaching an enforcement date. The final text of the GDPR was published in the Official Journal of the EU in April last year, heralding some of the most stringent data protection laws in the world. Although there are currently no penalties in place for not following this new legislation, there will be shortly. By May 6th 2018, this regulation will become a directive, meaning that EU member states need to transpose it into national law. Following this date, businesses and individuals that breach the directive may face massive financial penalties of up to millions of pounds, so it’s paramount that businesses are aware of the changes to the law, and that they prepare for Data D Day – it’s only a year away.
What are the key changes to data law in Europe following the EU GDPR directive?
One of the main ways current data directives will change is that greater liability lies on businesses to ensure their data is securely protected. Businesses over a certain size must hire a data protection officer, while all businesses must have documented policies and controls in place in order to prove that data policy is of utmost importance to the organisation. If a breach was to happen, the business retains liability to individuals affected by the breach, and must notify them within 72 hours of the attack. Failure to comply with certain parts of the EU GDPR will result in a €20 million fine or 4% of total worldwide annual turnover; whichever is higher. These fines aren't of a simple "slap of the wrist" nature. They're clearly intended to ensure organisations are proactive in implementing these required changes.
Following Brexit, the UK isn’t part of the EU. Does this mean we’re immune?
The UK’s Information Commissioner’s Office (ICO) has said that the EU data reforms will not directly apply to the UK once it has left the EU. However, from 2018, if the UK wants to trade on equal terms with the EU market, its data protection standards should be equivalent to the EU directive. The UK's data minister has already confirmed that Britain is set to acquire a very similar ruleset following article 50.
In a statement, the ICO said “With so many businesses and services operating across borders, international consistency around data protection laws and rights is crucial both to businesses and organisations and to consumers and citizens”. In other words, reform of UK law will be necessary.
What can businesses do to prepare for the directive, and ensure compliance?
There are of course many things businesses should already be doing to prepare for the changes to data law, with perhaps the most important at this stage being awareness of what is required of businesses. Following this, auditing your business’ current GRC (governance, risk and compliance) initiatives in order to understand where you need to improve is the next logical step.
Technology and business IT will play a large role in ensuring that data governance and compliance within an organisation is maintained. Standardisation of the storage and accessibility of data through the implementation of technology and internal policy is one of the first steps an organisation needs to take.
Being able to track where data is stored and used across the supply chain is also a requirement following the EU GDPR directive. Risk management tools and audit trails that follow the distribution of data will be required in order to help govern and track the flow of information. Utilising IT solutions such as implementing a private cloud, reviewing your security infrastructure, and applying data classification software are all examples of how IT can aid an organisation.
Want to learn more about the GDPR and how you can ensure your IT becomes compliant after May 2018? Download the Prodec Networks GDPR Survival Guide by clicking on the banner below.