We have all heard about the European General Data Protection Regulation (GDPR), and all the massive fines and additional overheads this will bring to businesses. Looking behind the scary headlines – what is it all about, and should we be worried?
The existing data protection laws and regulations were created in the 1990s. and a lot has changed since then. Can you remember back to what “data protection” was back in the 1990s? Bear in mind that these regulations would have been built up over a few years, so in reality, they date back even further than that.
We are now creating enormous amounts of digital information each minute of every day and the previous laws that govern our personal info are quite frankly no longer fit for purpose.
GDPR is actually what the existing regulations would have been if the technology was there at the time.
The new regulations will come into force on May 25 2018. Whether we are in the EU or not, the UK government has started that UK law will intend to be as comprehensive moving forwards (but there will be some minor exceptions or alterations, as already allowed in the EU directive). It will change how businesses and public sector organisations can handle the information of all their customers.
Once GDPR becomes law in the UK it will not be managed by the government, however it will be enforced by the existing Information Commissioner’s Office (ICO).
The GDPR states smaller offences could result in fines of up to €10 million or two per cent of a firm’s global turnover (whichever is greater). Those with more serious consequences can have fines of up to €20 million or four per cent of a firm’s global turnover (whichever is greater). These are considerably larger than the £500,000 penalty the ICO can currently wield.
It you thought that the ICO would “wield a light touch” then remember one thing – the ICO is designed to be SELF FUNDED. That means it will not receive any government funds going forward. All the expenses and costs of the organisation are to be met with the fines if can collect.
You should expect some highly public fines across the board very early on in the process.
The draft regulations have spawned a raft of GDPR experts who want to help businesses prepare for the changes GDPR will bring – at a price, and with additional services or software to help you as well.
What is talked about less however it that as businesses, we should all be doing the bulk of what is required already under the 1998 Date Protection Act.
Elizabeth Denham, the UK’s information commissioner (in charge of data protection enforcement), says she is frustrated by the amount of “scaremongering” around the potential impact for businesses. “The GDPR is a step change for data protection,” she says. “It’s still an evolution, not a revolution”. For businesses and organisations already complying with existing data protection laws the new regulation is only a “step change”.
It should be noted that whilst the ICO has the power to conduct criminal investigations and issue fines, it is also providing organisations with huge amounts of guidance about how to comply with GDPR.
Much of this guidance is checking you are doing things correctly under the existing rules, and having a plan to ensure that you can meet the new requirements as soon, and as comprehensively, as possible.
Once the fines start to roll in – you can be sure that those businesses and organisations without any plan will be hit hard.
So what we want to say is this – GDPR is business as usual in that you need good solid procedures, and that even at this very late stage, there is a lot of advice out there for you to make sure you are well on the way to compliance before the end of May.
You should utilise external guidance where required, but also make good use of the available information freely being provided by the ICO.
Some very useful links in this regard are:
Finally – if you want more assistance on how this fits in with your business as a whole and the impacts on growth – speak to your local ICON advisor – it will cost you nothing to grab a coffee and see what you may need to be doing.