One of the hot topics I get asked about at almost every customer meeting these days, is GDPR.
With the secretary of state, Karen Bradley MP, having confirmed in the last few weeks that the UK will be implementing the EU General Data Protection Regulation (GDPR), I thought now would be a good time to share some information on this highly complex piece of legislation, which is causing sleepless nights for so many business owners and directors.
By way of background, GDPR has been developed to reflect the changing use of data in the digital world in which we now live. With the digital economy being primarily built upon the collection and exchange of data, including large amounts of personal data, which is often sensitive, there is a need to protect citizens’ privacy rights. GDPR is designed to enable citizens to benefit from modern digital services, whilst providing sound, well formulated and properly enforced data protection safeguards to help mitigate risks and inspire public confidence in how their information is handled by businesses, third parties, the state and public service providers.
Whilst these aspirations are to be lauded, there is much concern amongst the business community as to the reality of understanding and implementing the legislation within their business. Whilst the implementation date of 25th May 2018 may still seem a long way off, the reality of the situation is that the changes this legislation requires many businesses to make are so far reaching that 18 months will be barely enough time.
The GDPR represents the most fundamental change in data protection legislation in the past 20 years, and is the first attempt to create meaningful and enforceable data protection laws for Europe’s 500,000,000+ citizens. The implications are far reaching and are set to majorly impact businesses of all sizes. The impact is businesswide, affecting not just IT, but every part of the business from sales and marketing to HR.
The new legislation also gives the regulator real "teeth" in terms of enforcement. For example if you do not comply with some of the fundamental provisions in the legislation, such as obtaining necessary consent, you can be fined up to 4% of your total worldwide annual turnover or €20 million, whichever is greater. While penalties of up to €10 million or 2% of your total worldwide annual turnover apply for not putting in place adequate security or for not reporting breaches when they occur.
To put this in context, the PCI Security Standards Council warned that had GDPR been in place last year, fines as high as £122 billion could have been levied against UK organisations based on the number of cyber security incidents in 2015. While this month’s high profile data breach at Tesco Bank could alone have racked up fines of almost £2 billion had it happened under GDPR.
And it is by no means just big businesses that are affected. In fact of the £122 billion of theoretical fines, £52 billion would have related to SME's.
The new legislation also requires that businesses must notify most data breaches to the Data Protection Authority without undue delay and, where feasible, within 72 hours. A reasoned justification must be provided if this timeframe is not met.
Consumers affected by a breach will also need to be notified without an undue delay in some cases, since this could leave them with an increased exposure to identity theft, financial fraud etc. This in turn leaves companies highly exposed to brand damage and potential customer payouts.
The level of fines and the potential reputational damage of forced disclosure has made the EU GDPR a board level issue rather than an IT issue.
It is a highly complex area, where the legislation is deliberately non-prescriptive (i.e. not prescribing a specific technology or security protocol) as the law makers have realised that to achieve its end goal the legislation needs to be broad brush enough to cover the multitude of ways that different businesses use data and the constantly evolving risks to data, such as cyber crime.
Whilst this makes the legislation more powerful, it also makes the implementation more complex, especially for small and medium sized businesses who do not necessarily have the in-house expertise to be able to unravel the legislation and apply it in the context of their own data and IT systems.
In fact, many of the small and medium sized businesses who we are working with, are just starting out on the journey to firstly identify what personal data they hold (which can be as simple as an individual's name or email address), and where this data is held.
From there, we are working with them to start putting in place the processes, procedures and technology needed to be GDPR compliant. Whilst it is not a short or particularly easy process, such safeguards are certainly a business necessity to survive and thrive in the digital era, and indeed a necessity for any business owner in the face of the potentially crippling fines and reputational damage that a data breach will cause under GDPR.
If you need any advice with assessing your readiness for GDPR, or with implementing or updating your policies, plans and technologies to be fully data protection compliant, please do not hesitate to contact me on (01494) 444065 or email gary.swanwick@epoq-it.co.uk
No comments:
Post a Comment