GDPR will impact on your business


In May of 2018, the GDPR will come into force. This is the ‘General Data Protection Regulation’, to replace the old outdated rules, which in a nutshell are the strict new stricter rules all companies no matter how small and organisations throughout Europe must follow when they gather, store or use personal information in the future.

One only has only had to glance at the media recently to see how desperately needed the GDPR is in the UK. Hardly a week has gone by without a newsflash about yet another data hack, or a screaming headline about online data crime.

Prevention always makes more commercial sense than cure, so the GDPR is all about the protection of data. This means that every single company and organisation in the UK, regardless of size or sector, which stores and uses personal information, will be responsible for the safety of that data on their electronic systems.

The penalties for non-compliance of GDPR will be severe. The Information Commissioner’s Office (ICO),  the independent watchdog in the UK responsible for overseeing the new rules, will have the power to issue fines of up to £500,000, or 4% of turnover, yes turnover not profits.

For a large company that would be a substantial financial punishment, for an SME it could be catastrophic. So it is easy to see how critical the Government views the current situation of ‘data at risk’, and want implementation of GDPR throughout the UK asap!

This being the case, in practical terms what will companies have to do to comply with GDPR?

They will need to make sure that all employees who come into contact with the personal information of past, present or possible future clients understand what GDPR means for the organisation. It will not be enough for senior management to be the only ones in the know.

A data audit should be carried out. This should answer the who, what, why, when and how any personal data is/was collected, stored and managed. Is it secure?  How long will you keep it? Do you ever share it with other organisations and are their data security systems tight? Are you GDPR compliant? If not what will you do to be so by next spring? The countdown has already started, so now is the time to begin making plans and actioning them.

Companies will need to have a rock solid process for ensuring that customers give explicit permission for their personal data to be held. Under GDPR this will be mandatory, it will no longer be enough to simply claim implied permission because an opt-out choice is offered and not taken up. Directors should also be aware that customers will have the right to find out from companies what, how and where their personal information is being held.

Also GDPR will demand that companies have a comprehensive system for reporting any data breaches within 72 hours, particularly where there is a risk that the data could be used against the right and freedoms of individuals.

Finally each organisation will have to appoint a Data Protection Officer. As the title suggests this will be someone with the responsibility for all the data the company gathers and holds. They will have to be experts in the field and GDPR itself in particular, and report directly to senior executives. Who will your company appoint in this role? Employ an outside expert or have someone in-house?

GDPR is on its way. So it is time to think about becoming compliant. The social responsibility makes it essential for companies to do so; the possible penalties make it irresponsible for them not to.