How to be prepared for the EU’s General Data Protection Regulation

‘Every cloud has a silver lining’ – how to ensure your company is prepared for the EU’s General Data Protection Regulation (GDPR)

Laurence Garton of HUT42, a cutting edge web application development company – advises companies that it’s time to get ready for the introduction of the new data protection regulations which come into force on May 18th 2018.

When walking into the field of data protection it can seem like stumbling through a maze of legal jargon, contradictory advice and potential penalties.

Our digital age has transformed communication and marketing opportunities from global corporations to SMEs. However, the future success of any UK business will depend on whether it is able to protect the data it holds.

The GDPR (which replaces the 1995 EU Data Protection Directive) states that any company or individual who processes data will be held responsible for its protection (including third parties such as cloud providers) and companies are being advised to appoint or assign a data controller.

There is indeed a silver lining to every cloud in the form of the clause that a data controller must meet individuals’ ”reasonable expectations” of data privacy. The regulations stipulate that tokenised, encrypted or pseudo-anonymous data does meet these expectations.

Under the new regulation, customers can also demand that their data is erased. If one of your customers wanted their data to be removed from one or all of your databases, what system does your company have in place to ensure you can respond to this request?

Data controllers must inform and remind customers of their rights, as well as documenting the fact that they have reminded them of their rights. In addition the regulation is more stringent in that customers now must opt in to agreeing that their data is stored or used rather than opt out, this also applies to any existing customer information you have.

So what is the cost of breaching this regulation? A data breach could damage a company’s reputation long term and result in a loss of consumer confidence.  Regulators have to be informed of any data loss within 72 hours and it is likely to involve ‘naming and shaming’ policies across each country – the UK Information Commissioner’s Office issues press releases when organisations are sanctioned

Any client will also have the right to claim damages in the instance of data loss as a result of unlawful processing, including collective redress, the equivalent of a US-style class action lawsuit. It is essential that senior management have a good understanding of the potential impact on their business.

As things stand, the ICO can apply fines of up to £500,000 for contraventions of the Data Protection Act 1998. Once GDPR comes into force on 25 May, 2018, there will be a two-tiered sanction regime – with lesser incidents subject to a maximum fine of either €10 million (£7.9 million) or 2 per cent of an organisation’s global turnover (whichever is greater). The most serious violations could result in fines of up to €20 million (£15.8 million) or 4 per cent of turnover (whichever is greater).

It is therefore vital that every business reviews and updates their current data security process and ensures that it is able to control and measure the efficiency of the tools and procedures. From carefully examining how your customer and data is gathered, considering the introduction of a new software programmes or even upgrading your IT infrastructure.

The companies which are prepared and get it right will build customer trust and investor confidence in their brand as well as gain competitive advantage. Those which get it wrong could easily get lost and fall by the wayside.

For further advice on how to ensure your company’s processes meet reasonable expectations of data privacy contact Laurence Garton on 01553 970034