What is GDPR?
On 25 May 2018, the General Data Protection Regulation (GDPR) becomes law across Europe, including the UK. This law aims to give citizens more control over their data and to create harmonised rules to enforce across the continent.
What happened to the Data Protection Act?
In this modern age of big data, Facebook, Google, and Twitter, the old legislation became less fit for purpose. If you consider that the Act predates the first iPhone by ten years, then it’s easy to see that something more relevant was needed to protect consumer’s private data.
Isn’t there a new Data Protection Bill going through parliament?
There is, but there will be minimal divergence from GDPR rules. The main function of the bill is to enshrine GDPR principles in British law ready for post-Brexit.
Why should businesses care about GDPR?
Although this law comes from the EU, it will have a global impact. It will affect any business holding personal data on customers, prospects or employees based within the EU, and such businesses need to be preparing for the change now. If businesses ignore this law, they can be fined up to €20m or 4% of their global annual turnover. Eye-watering fines aside, it’s worth remembering that data protection implemented correctly can deliver more business value above and beyond a compliance “tick in the box”. Customers are increasingly aware of how their personal data is used, care deeply about their privacy and expect businesses to respect that. It’s good business sense to demonstrate that you ‘get’ this cultural aspect, and this is progressively becoming a marketplace differentiator for products and services.
What are the new rules?
The rules are very complex, but our advice is not to be overwhelmed by them or to see the GDPR as “the enemy”. If you build the rules into your organisational culture rather than being a slave to them, they will help you manage data more effectively, efficiently and cost-effectively, both internally and externally.
What is the impact on businesses?
There will be an impact for all businesses – for those dealing with particularly sensitive, or large amounts of personal data this will be significant. GDPR mandates that data protection and security culture has to be built into the fabric of an organisation rather than farmed out or siloed. This means that while your security and compliance people should be very concerned with getting the detail right, you need to ensure that staff be aware of the principles, at every level and in every discipline. Fines can currently be levied against employees instead of companies, but you need to show you trained them, and the brand damage to you would be the same regardless.
What does it mean for the consumer?
While many consumers may not be aware of the change, many will begin to notice some differences in how businesses and organisations communicate with them. Privacy notices will be more transparent, consumer rights will be upheld and publicised, and news about data breaches will travel faster and be harder to cover up. It may seem to some consumers that data is less secure after the change simply because the volume of news on it will increase. This will have a knock-on effect of further educating consumers, prompting still further questions about how you are managing their data, and again potentially being a differentiator.
What can I do today?
- Audit what data you have, and why you have it (including third parties!)
- Any outsourced supplier also has to follow your rules
- Manage data in a structured way (a place for everything, everything in it’s place)
- Document rules for what you can and can’t do with personal data
- Know who is responsible for it
- Nominate a person responsible to addressing privacy issues (mandatory)
- Encrypt or “lock” what you wouldn’t want to be disclosed
- If a third party can’t read data, then the impact is massively reduced if lost
- Encourage and develop a security-aware culture
- Make sure everybody can identify personal data
- Train them in regard to the “rules” and confirm they understand
- Be prepared – expect the best but prepare for the worst
- Have an incident response plan
- What would you do if you had a major data breach?
- Would you know?
Ilicomm staff have over twenty-five years of advising multi-national Enterprises on data privacy and security including IBM, Siemens, Dixons Carphone, Boots the chemist, and many others. We are now bringing business-focused experience to bear within the SME marketplace at an affordable price point.