There has been much discussion about the EU’s new GDPR legislation, including businesses being far from prepared for the impending changes due to a combination of trepidation and being just too busy with other things. Some have simply given up preparing because they believe the looming spectre of Brexit will protect them, which is, of course, false.
Only 54 per cent of businesses think they’ll be ready for GDPR changes in time, while a quarter told the Direct Marketing Association (DMA) they hadn’t even started to plan for the regulations. But this isn’t necessarily the fault of businesses – the DMA thinks the Information Commissioner's Office (ICO) has failed to offer enough guidance, leading to confusion.
“Despite high levels of awareness, with a year to prepare for the new laws, the number of businesses that believe they will be ready in time has dropped to just over half,” Chris Combemale, CEO of the DMA Group, said.
“Recent announcements and guidance from the ICO have caused much concern, that the interpretation of the laws is overly strict, penalising the companies most committed to best practice, honesty and transparency. What the industry needs is balanced and fair guidance from the ICO and Article 28 Working Party. With just 12 months to prepare we need this guidance urgently if we’re expected to be ready in time.”
One thing’s clear – whether businesses are ready or not, the new rules are coming and it’s imperative businesses have all the tools in place, but is it as simple as just appointing a data protection lead and continuing business as usual?
Comply or die
Failure to comply with the rules will see companies hit with fines of up to €20 million (or four per cent of global revenue), making the GDPR something that needs to be taken very seriously. A Veritas survey recently found that as many as one in five companies sampled feared they could be driven out of business due to the heavy penalties involved.
While work is undeniably on the horizon for all companies handling public data, it might not necessarily be the nightmare it seems – and a few concessions could see most on their way to compliance.
Some companies have already appointed a data protection officer (DPO) who will audit the company's procedures and introduce new ones to comply. For smaller companies, a new salary on the payroll might seem extreme, but it should appear a very savvy investment when compared with the hefty fines for failure to adhere to the rules.
In fact, GO DPO thinks at least 7000 companies in the UK will need to either appoint a DPO or outsource the role by May 2018, as per the GDPR’s requirements.
If you opt to keep the role in-house with existing staff, you’ll need to set aside the time and budget to make sure your public-facing issues – like ensuring your privacy notices are up to date – are high on the list of things to do. Rewriting privacy notices may be a day’s work, but it could protect a company from harm.
So too is taking stock of the data the company holds. You may find you are storing data that isn’t legitimately part of your mandate, and you may also find you’re missing some vital information – so a little reflection could be a huge benefit for very little outlay.
IT staff will be the people patching and updating your older and more vulnerable systems – a task which should be common practice – so make sure you get buy-in to make the entire process run more smoothly and efficiently.
Are you ready to deal with a breach?
Another unenviable task – but one that is necessary – is the formation of clear strategies for dealing with a breach.
Ensuring you have communication plans with your employees, your customers and the ICO should also be a priority. How you notify your customers that their data has been compromised could attenuate portion of the damage – this is critical in cases where financial information is held.
You should also be ready to deal with deletion requests and subject access requests. As more people realise the value of their data, we will see a sharp increase in those seeking to manually ensure their data is secure.
Although so many businesses are underprepared for GDPR, it doesn’t take long to put together a plan to ensure you’re compliant now and will be able to remain so when GDPR becomes enforceable on 18 May 2018.
Employing or even contracting a data protection lead for the next 12–24 months is an investment your company should probably make if you want to ensure the task of complying with the new regulations runs smoothly for the entire organisation.
Although it’s not impossible to realign your staff to deal with the changes, it will make it much easier if you have a single person leading the project to ensure you’re GDPR-ready.