The General Data Protection Regulation (GDPR) is entering into force on 25 May 2018. This new European law marks a wide-reaching and significant shift in the way that all organisations must protect personal data. With only a few months to go until the changes need to be implemented, companies should already be well on their way towards becoming GDPR compliant. The LINK spoke with experts from some of the SCC’s Member companies about the most important aspects of the new regulation.
“If you have not started working towards GDPR compliance yet, it is definitely time to start,” said Henrik Löfgren of consultancy firm Centigo. “It is easy to focus on the date, 25 May, when the GDPR takes effect, but do not forget to think long-term straight away. Organisations will continuously have to relate to and work with the GDPR, as well as ever increasing customer expectations. This will be much easier if approached in this way from the beginning,” he added.
The GDPR will apply to all organisations that process data about people in the European Union even if the processing takes place outside of the EU. Under the GDPR, companies will need to be able to delete data and request consent from individuals if they want to retain or change the use of any data held.
Tania Tandon, founding partner of law firm Tandon Hildebrand Ltd, said that the GDPR also introduces a data breach notification requirement. This means that companies have a responsibility to notify the local data protection authority of any data breach within 72 hours of its discovery if that breach is likely to result in a risk to an individual’s rights and freedoms. She said: “Companies must ensure that they have the right procedures in place to find, report and investigate any data breaches.”
If a company is found to have breached the regulation, the GDPR imposes potentially very severe penalties. Fines for non-compliance with the GDPR could be as high as 4 percent of annual worldwide turnover, or €20m, whichever is greater. These large fines are reserved for the most gross misbehaviour and are unlikely to be levied soon or lightly. However, these new provisions and tight controls demonstrate how seriously the regulators now consider consumer privacy. The threat of these large fees could understandably make organisations nervous about the regulation. But Tandon said: “Where a company already complies with the current data protection regime, there should be no reason to panic. Where a company is not currently compliant, the introduction of the GDPR significantly increases the risk of non-compliance.”
Löfgren highlighted that the purpose of the GDPR is not to fine companies but to protect individuals’ fundamental rights to their personal data. He added: “Organisations need to approach GDPR with serious and good intentions. Do this and you will mitigate your risks, both for fines and damaged brand reputation. Furthermore, those who approach GDPR as an enabler have an opportunity to gain competitive advantages in the long-term.”
Although the GDPR might seem overwhelming and daunting there are several benefits to the new regulation as well. Löfgren said: “The UK Data Protection Act is from 1998 and not designed to meet today’s digitalised world, which the GDPR to a larger extent is. The GDPR will also be a common regulation for the entire EU, which simplifies business within the union.”
Daniel Teacher, Managing Director of IT-consultancy firm T-Tech, which helps its clients get prepared for the new regulation, said: “Treat GDPR as an opportunity rather than a pain. GDPR is giving you an excuse to finally focus on managing your data, and more broadly, security across your firm. It’s time to recognise that your data has and is increasingly becoming a much higher class asset, which needs to be handled in the correct way.”
As the new rules are so wide-reaching it is important that the implementation and continued compliance with the GDPR is the responsibility of the whole company. Key decision makers and top-level executives need to be aware of the regulation and appreciate its impact. “Companies will need to show compliance with its data protection principles through effective policies, procedures and management”, said Tandon.
Teacher agreed and said it is very important that management is involved. He said: “GDPR needs to be taken seriously and it is ultimately the key decision makers in a business that will lead this disposition. Especially with new rules surrounding things like consent and privacy notices, business leaders can’t afford to make any mistakes, both reputationally and financially. GDPR is a wide spanning regulation touching on various parts of all business; employees, processes, the technology that underpins the business and the activities the business partakes in.”
To make sure companies and organisations are compliant in time, it might be worth consulting third party specialists but only after thoroughly assessing what data protection and privacy resources you already have in place. Löfgren said: “To succeed with a GDPR implementation, you require a project team with different areas of expertise, such as project management, lawyers, IT, privacy and process owners. Everybody is facing the same challenge, so try to utilise others’ experiences rather than reinvent the wheel again.”
Teacher agreed but added that your company carries the ultimate responsibility over the changes. He said: “The responsibility is on you for change. You can seek help and advice from experts, but ultimately it comes down to your firm recognising and wanting to improve processes. Also, speak to your clients about their own responsibility – have they thought about it? Are they following the same route as you are to compliance? Your commitment to ensuring your organisation is well equipped for GDPR is a great first step, so if down the line you do face a security breach, it can be managed and mitigated with minimal damage.”
Despite the major changes that this new regulation will bring, companies have no reason to panic as long as they are proactive and ensure they adapt their internal procedures by following the standards set out by the regulations.
In the current climate, safety and protection of consumer data are of paramount importance as customer trust and loyalty can make or break a business. Those companies that have put more time and effort into preparing for May 2018 will stand a much better chance of success than their competitors. Businesses still have time to ensure they are fit for GDPR, but the clock is ticking.