Now we know this is not the most exciting subject we could be talking about (well, we think it’s exciting, but we know that we IT folk are a rare breed!) but there are new rules about data that are about to come into force and, if you’re a business, you really do need to know about them. So grab a brew and sit down for 5 minutes, and then at least you can’t say afterwards that we didn’t warn you!
The current Data Protection Act (DPA) exists to protect people’s personal data stored digitally or physically. Originally, it was a late 20th century thing, a response to increasing amounts of personal data being collected, and being accessible, but now data protection is going 21st century, which mean new regulations and much greater accountability.
The EU’s General Data Protection Regulation, or GDPR, will come into effect next year, in May 2018. Along with accountability, the thing to watch out for is compliance, and what happens if businesses fail to comply with the new regulations, because basically, the fines can be enormous – 20 million euros, or 4% of annual turnover, whichever is greater. Can you afford that if you fail to comply? Didn’t think so.
So, don’t bury your head in the sand; if you haven’t already, now is the time to sit up and take notice about what implications GDPR will have for your business.
Firstly, it’s a question of reach. GDPR will apply not only to all businesses inside the European Union, including here in the UK, but also any organisations in the rest of the world that process the information of EU citizens. In other words, we’re talking about a worldwide impact; we can’t emphasise this enough – these changes will probably make GDPR the single biggest global IT issue. For example, even a USA-based company, if it has holdings, interests or customers in the EU, will need to comply fully with the new regulations.
The global extent of the changes means that if you offer goods or services to EU citizens, wherever you’re based, you’ll need to ensure the absolute integrity of how you deal with personal data. If, say, you want to track your customers’ buying habits, you will have to have fully compliant data protection processes in place, part of which requires that you can prove consent. This issue of consent is the lynchpin of GDPR; it will not be enough, therefore, for your business to assume that people are fully aware that they are opting in when giving you their details.
The principle of consent is fundamental, so you will have to be sure you can prove you’ve got it.
The second big change is to do with accountability. Individual businesses, under GDPR, will be responsible for compliance and must be able to demonstrate this. If personal data is stolen, the company has 72 hours from realising what’s happened to report the breach in its cyber security.
At the same time, under GDPR, the definition of personal data now extends to include extra categories, such as IP addresses and genetic makeup. Certain stipulations already exist under current data protection regulations, such as businesses or organisations needing to keep records of all personal data and to show where it’s going or what it’s being used for, as well as how it’s protected.
But the new rules will make accountability central to data protection, so you really do need to be on top of it.
Along with accountability comes the issue of liability and the powers of the new supervisory authority to impose penalties on businesses that are non-compliant, or who cannot prove otherwise. As a business, you’ll be required to have the right training for data protection in place and to conduct internal audits and reviews regularly. You’ll also have to maintain records of all that you do regarding data protection and carry out impact assessments, and you will have to be able to demonstrate your privacy policies clearly.
Failure to comply will be expensive. Whereas current DPA penalties mean fines up to £500,000 or 1% of turnover, GDPR boosts this to an eye-watering €20million or 4% of turnover. That’s a big risk to just ignore!
The whole issue of the opt-in is vital here – individuals must actively consent wherever you collect information, and they will have the right to erasure, which means you permanently deleting all your records of their data, including web records, should they request it.
What Must You Do?
The implications of GDPR are undoubtedly wide-ranging, and serious for anyone failing to comply. In fact, they could be catastrophic, leading to bankruptcy in the most extreme cases.
But here’s a thing. Data protection has always had the potential to cause serious damage if you get it wrong. Previously, it might not have meant such a huge financial loss, but its reputational impact could be forceful and long-lasting. The media in particular is always ready to pounce on stories of non-compliance and data loss, and the aftershocks are often felt long after the initial headlines.
So, our point is that data protection should always be central to how a business operates, and GDPR will highlight this more so than ever before.
If you’re not already, it’s time to get properly prepared. This means putting the systems in place that will give you a clear understanding of what data you are storing, how and where you’re storing it, what relevance it has to your business, and what you’re doing to protect it. Trust us, you will soon risk more than brand damage if your data protection is sloppy.
A recent Veritas study has revealed that more than 40% of organisations it surveyed have no mechanism to determine what data they should be saving or deleting based on its value.
To make your data protection effective, and, importantly, compliant, you need to take stock of your full IT inventory, including your hardware, software, cloud-based storage and mobile devices. How is it storing data, and what are the sharing arrangements?
Remember, the devil is in the detail; GDPR casts a long shadow and under it we all need to be more diligent about managing data.
A Positive Note
On the plus side, there are definite business benefits to getting your data protection right, besides the obvious avoidance of massive financial penalties.
If you can demonstrate that good data protection practice is a cornerstone of your business, it speaks volumes to your audience. Much of what can differentiate you in the marketplace comes down to the confidence your clients, consumers or customers have in you.
Turn your GDPR compliance into a marketable asset, because under the new rules your customers have far more power, so it’s vital you build strong relationships with them.
In short, take responsibility now.
Get In Touch
As experts in this field, Bandicoot understand what our clients need to do in order be 100% compliant with the new GDPR regulations, so if you’d like to speak to someone who can help steer your business in the right direction, get in touch with us today.
We provide full IT support and we design and build websites for businesses in Burnley, Lancashire and across the North West. Whether it’s help with your systems or giving you an online presence, we can help.