GDPR has featured heavily in the news recently, and it’s a subject businesses of all sizes should know about. Cybersecurity and data protection are key to our business so we are keen to know how the GDPR directive will affect us and when we need to start taking action. Therefore, we thought it would be fitting to provide a quick, digestible guide on the basics of General Data Protection Regulation and what it means for UK companies.
What is GDPR?
The European General Data Protection Regulation (GDPR) is a new bill which comes into force on May 25, 2018.
It’s an update to data protection laws and will take over from the Data Protection Act (1998) taking into account the new ways in which data is now used.
The new bill will introduce tougher fines for non-compliance and breaches, whilst giving people more say over what businesses can do with their data. It also brings data protection in-line with other countries throughout the EU. The excellent IT Pro has published a lengthy article on the extensive ins and outs of GDPR which you can read here.
Should businesses be panicking?
The Information Commissioner’s Office hasn’t published final guidance for GDPR yet but their website does have some useful information including an interactive checklist and 12 steps to take now.
It’s not too early to start preparing as there are going to be some significant changes to the law. The new regulations must be adhered to, starting in May next year, therefore businesses should now be putting plans in place and changing their practices to ensure they stick to the new data protection rules. Firms should be speaking internally now to ensure they have a concrete plan in place as well as deciding on responsibilities for a smooth transition.
Companies must be in the know, ensuring they understand the complexities of the regulations and have enough time to roll out strategy which gives each department time secure full compliance.
The good news is there is still time.
What effect will it have?
The GDPR will bring about increased expectations of data privacy and will mean all organisations must commit to a common cybersecurity best practice. A business will receive a considerable fine if they don’t comply with the new regulations therefore the GDPR should, in some way, change the way a business is run - even if this only results in small changes.
Some companies may need to appoint a Data Protection Officer (DPO) to own the process and prevent the chance of a breach. Public authorities and organisations whose ‘core activities’ call for either ‘regular and systematic monitoring of data subjects on a large scale’ or ‘processing on a large scale of special categories of data’ must appoint a DPO as a mandate.
The International Association of Privacy Professionals estimates that this will result in the appointment of as many as 28,000 data protection officers (DPOs) in Europe and the US.
The GDPR could impact a company’s operations in a number of ways too - for ten operational impacts of the GDPR visit IAPP’s link here.
All the information available points to a consistent conclusion. It’s time companies take action and ensure they’re prepared.
We hope this article has alerted you to the basics, however, please note that when it comes to legal matters it’s important that you consult a qualified legal counsel. We’d recommend you read about the subject in more detail for you and your company and contact a professional. There’s plenty of time to do so if you act soon!