Are you Ready for GDPR?

The countdown is on. The General Data Protection Regulation (GDPR) comes into force in less than a year now – on 25 May 2018 to be exact.

What is GDPR?

This far-reaching, new data protection legislation will impose a range of new regulations and rules on how companies control and process their customer and prospect data.

It expands the rights of EU citizens around privacy and protection of personal data. Companies are required to maintain adequate data records, appoint a data protection officer, disclose data breaches and increase opt-out options. Importantly, in the new regime penalties for non-compliance will be significantly larger, with fines of up to €20 million or 4% of annual global turnover, whichever amount is higher. This makes non-compliance a significant business threat.

Not Ready? You are Not Alone…

Worryingly, a recent poll of 2,000 UK businesses showed a lack of awareness among many businesses about this new legislation (research by YouGov) with only 29% having started preparing for the new data governance rules.

Other research similarly shows that only 34% of UK marketing and advertising businesses are aware of the new European data protection legislation (survey by law firm, Irwin Mitchell, of 187 companies).

But What About Brexit?

It doesn’t factor into things as the GDPR will come into force before the UK leaves the European Union. FYI both the government and Information Commissioner have confirmed that it will apply. So, come May 2018 organisations handling personal data best be ready to comply with the GDPR.

Preparing for GDPR

We suggest you visit the ICO website which has a host of useful information, including  a handy 11 page PDF entitled Preparing for the General Data Protection Regulation (GDPR) 12 Steps to Take Now which is a good starting point. As is their Data Protection Self Assessment which provides useful ‘more information’ for each component.

So, with next May’s deadline fast-approaching make sure you have appointed a data protection officer, understand how to implement the right to be forgotten, and have the right to data portability processes in place to ensure your organisation is compliant. Good luck

Data Protection Laws: Times are a Changing…

New data protection regulations come into force on 25th May 2018 affecting every organisation that offers products or services to EU citizens, as well as those handling data of EU citizens.

The new General Data Protection Regulation (GDPR) requires organisations to adhere to a strict set of data privacy and security measures including:

  • Implicit consent with an onus on organisations to demonstrate that consent has been given – no more small print tucked away or pre-ticked boxes,
  • Data security breaches reported within 24 hours,
  • Appointment of a Data Protection Officer with access to the Board / senior management team,
  • Subject Access Request response period reduced to 30 days and £10 fee abolished,
  • Right to be forgotten.

It will be enforced in the UK by the ICO with fines for infringement of up to €20M or 4% of the offending company’s global annual revenue, whichever is higher. To put this in context, TalkTalk’s recent data breaches could, under the new regime, result in fines of up to £72 million.

Research by Compuware Corporation shows that the majority of businesses surveyed were not yet ready with a plan to respond to GDPR.