May 25 is an important date on the business calendar as it’s when the General Data Protection Regulation (GDPR) takes effect. This new regulation, which covers the collection, storage and use of personal information, is being introduced by the EU to provide a unified framework of personal data protection in an age when smartphones and social media have made it easier than ever to share information.
GDPR replaces the 1998 Data Protection Act, and UK businesses have to adhere to it despite Brexit. The new rules are expected to have far-reaching consequences for businesses, both large and small…
Key points of GDPR
- GDPR will apply to any business that handles the personal data of EU citizens, including those with fewer than 250 employees.
- Firms with more than 250 employees must employ a data protection officer to make sure personal data is collected and stored responsibly.
- Data security breaches must be reported within 72 hours of them happening to data protection authorities such as the Information Commissioner’s Office (ICO) in the UK. A breach could include the loss or destruction of data, or unauthorised access.
- Individuals will be granted more rights on how businesses use their data. In some cases, they have the ‘right to be forgotten’ if they no longer want their personal data processed.
What if businesses aren’t compliant?
Failure to comply with the new rules could have serious consequences for organisations. Individuals could claim compensation if they’ve suffered damage due to an infringement of GDPR, which could mean significant costs for firms. Organisations could also be fined up to 4% of turnover or 20 million euros if regulators think they haven’t protected customers’ personal data adequately enough [i].
As well as the potential financial harm, failure to comply with GDPR also runs the risk of damaging a business’s reputation, not to mention its relationships with suppliers and partners.
How businesses can prepare for GDPR
Businesses that haven’t done so already need to act quickly to make sure they’re not caught out by the new rule changes. Many of GDPR’s principles are broadly the same as the current Data Protection Act rules, so that is a good starting point to build on.
While it may mean very little change for organisations that simply collect and store information such as customer lists and contact details, the regulations now cover a broader selection of data, including cookies and biometric data.
Firms can review security measures and policies to reduce cyber risks. This means keeping on top of software updates, and making sure employees are trained in online safety, including using secure passwords. File encryption can reduce the likelihood of a big fine in the event of a cyber attack.
The ICO has put together a plan of key actions[ii] to help enterprises comply with the new rules. These include:
- Information held: Document what personal data you have, where it came from and with whom you share it.
- Communicating privacy information: Review current privacy notices and plan any necessary changes.
- Individuals’ rights: Check procedures to make sure they cover all the rights individuals will have under GDPR, including how you’d delete their data if requested, or provide data electronically and in a commonly used format.
- Consent: Review how you seek, record and manage consent, and whether you need to make any changes. Refresh existing consents now if they don’t meet the GDPR standard.
- Data breaches: Ensure the right procedures are in place to detect, report and investigate a personal data breach. Make sure you’ve shared these processes with the appropriate members of your team.
GDPR and cyber security
With a lot of uncertainty surrounding GDPR and what exactly it will mean for businesses moving forwards, it would be wise for firms to relook at their cyber security. After all, companies can face fines for cyber breaches due to not storing and protecting customer data correctly, as well as facing reputational damage and potential loss of business.
Making sure that cyber security is a senior management priority within an organisation will become even more important for businesses in the coming months and years. Ensuring that there is a plan in place to not only prevent breaches, but react to and communicate effectively to any that do occur.
Are you covered?
At a time of significant regulatory change, it’s also a good idea for businesses to review insurance policies to check they’re covered against any disruptions or financial risks.
For bespoke cyber insurance, check out our Cyber Cover product. This can be an important addition to a business’s overall risk management strategy.
Take a closer look at our Cyber Guide for details of the some of the most common threats and ten steps to help keep your company safe.
Follow NIG on LinkedIn