Approaching fast, the European Union’s General Data Protection Regulation (GDPR) is the biggest ever overhaul of data protection regulations. With less than 325 working days until enforcement, very few businesses have set in motion any plans to make their businesses compliant.
The impending regulations are an attempt to harmonise the (often conflicting) data standards across the EU’s member states. With so many businesses and services operating across borders, international consistency around data protection laws and rights is crucial both to businesses and organisations, and to individuals.
The GDPR will introduce several key changes, which organisations need to start thinking about now. Key components include:
- Mandatory breach notification within 72 hours of an incident
- Fines of €20m or 4% annual global turnover – whichever is higher
- Right to be forgotten
- Right to data portability
- Compulsory appointment of data protection officers for large organisations
- Multinationals will only need to report to one national privacy regulator – in the country they’re headquartered.
Put simply, GDPR is all about good data governance, but for many organisations it requires a total restructure of how they handle, process and think about data – and what constitutes best practice.
Some practical advice on the IT changes which should be considered are covered in more depth in the AgilityWorks Practical Guide to GDPR (available for download) but in essence UK businesses need to focus on the following areas prior to implementation:
1. Show me the money
What makes GDPR so relevant by comparison to previous directives are the hefty penalties for compliance failure - up to €20m or 4%t of annual global turnover – far exceeding the current maximum of £500,000. And that potential impact on the bottom line suddenly makes it a hot topic for Boards, business leaders and IT teams alike.
2. Protecting your brand
A data breach is defined as ‘a security incident in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorised to do so’ – so a leak, hack, or even someone leaving a laptop on a train. Recent high-profile incidents include Three Mobile, where hackers had access to large parts of the upgrade database for Three’s 9 million UK customers and Yahoo, where a breach in 2013 was not disclosed until late 2016. Under GDPR, businesses have just 72 hours to inform those affected, or they will face a fine. As with Three and Yahoo, the reputational damage could be huge.
3. Attaining compliance – and proving it
The GDPR protects several rights for EU consumers, and the most pertinent to business regards consent of data. It strengthens the conditions of consent – it has to be freely given, unambiguous, and individuals will have a right to say no or withdraw their consent at any time. For every bit of personally identifiable information held – whether names, bank details credit or debit card details, or phone numbers – explicit permission will need to be obtained to hold or process it, including data from employees. Increasingly, individuals want reassurance that they can trust organisations to protect their personal data so GDPR compliance will be critical to building trust and earning loyalty.
4. Understanding your data
Inevitably businesses collect data on different systems and from different sources, to serve different purposes, but often don’t know exactly what data is held. Having clear data safeguards in place is more important than ever given the growing digital economy.
AgilityWorks will help you understand the data you currently have, where it resides in your systems – and most importantly – what it is being used for. Preparing for GDPR is also a good opportunity to remove obsolete data, re-engage customers, build better profiles and target communications over the coming months and years.
AgilityWorks can help prepare your smooth transition to the new world of GDPR, ensuring you continue to manage data effectively into the future.
Want to know more... why not download our latest webinar that explores some of the opportunities GDPR brings: