GDPR, it’s one of those acronyms that you know of, but not much about. In this blog we explain what it is, who it affects and what you need to do now to make your business compliant.
So we must stress – GDPR will affect every business in some way, everybody reading this blog should take this matter seriously, this new EU legislation comes into effect in May 2018 – so please make sure that you make plans now to avoid panic at the deadline.
What Is GDPR?
GDPR stands for General Data Protection Regulation and it’s a piece of EU legislation that will come into effect in the UK in 2018. It’s being introduced because data protection laws vary so much between European countries.
With the current levels of cybercrime, information security breaches and identity theft, it’s only reasonable that updates are made to ensure the safety of businesses and individuals alike.
Who Does GDPR Apply To?
The short answer is, probably everyone. If your business stores any personal data, such as emails, phone numbers, etc, you’ll likely need to make a few changes. For smaller businesses, we expect a little work to be done ahead of the deadline, but for larger businesses you may want to set aside a significant amount of time to ensure you’re compliant.
What’s The Penalty For Non-Compliance?
Those who are not compliant with the new regulations by 25th May 2018 face significant fines. For the worse offences, companies could face fines of up to 4% of their gross annual turnover, or €20,000,000, whichever is greater.
It’s likely smaller companies who control less data would receive smaller fines, but the message here is ‘GET COMPLIANT’, because the fines will be significant.
What Measures Does Your Business Need To Take To Be GDPR Compliant?
The first action we recommend you take is to go to the ICO website here, where they have provided a number of self-assessment tools. We suggest you complete all that apply to your business.
You should also assess the data your business already holds, and then evaluate whether you’re compliant or not. The DMA has a great webinar on conducting a data audit, register for the webinar here.
If your company handles a large amount of personal data, a data protection officer within your business may be a necessary hire.
So What About Brexit?
The short answer is, we don’t know.
Obviously EU legislation won’t necessarily apply to the UK once we leave the EU, but we doubt the Government would let businesses make significant changes and then undo those changes a few years later.
The UK government has been a leading force in developing the GDPR legislation and has indicated that post-brexit they may retain it or put in place legislation that closely follows the GDPR guidelines.
These measures are positive for all UK businesses, they reassure anyone who works with your business that their data is secure and will help to prevent breaches which can be costly to your business.
What Should My Business Do Now?
Right now, you need to plan. You need to set aside time to get a full understanding of what is required so that you can ensure you’re compliant as soon as possible. Do not leave this until May next year.
If you’re a contractor or freelancer who controls a little client data, then hopefully the changes will be minimal.
Is your an SME client, it’s possible that you’ll need to set aside more time to make the necessary changes, possibly consulting an expert if you feel there’s nobody in the office who has the right skill set to make the necessary changes.
And for larger companies, you’ll probably want to get someone on this full-time over the course of the next few months to analyse your data and make changes to the way you operate your business.
Whatever you do, do not neglect this responsibility. The sooner you start, the sooner you can rest easy knowing your business is compliant and protected from EU fines.