Today marks exactly one year until businesses must be compliant with the General Data Protection Regulation (GDPR), the EU’s new legislation for the protection of personal data. That’s not long for UK organisations to get their ducks in a row and ensure they are fully compliant in order to avoid fines of up to €20m (£17.25m).
To start, let’s find out who the experts are and why you should be listening to them:
Emma Ball is a Senior Associate at Squire Patton Boggs
Matt Bruce is Director at Bruce & Butler Ltd
Nicola Frost is Head of Legal at UKFast
Victoria Leigh is a Disputes Partner at Squire Patton Boggs
Paul Mason is Training and Development Manager at Secarma
Our webinar host, UKFast MD Jonathan Bowers delves right into the big questions with data security professional Matt Bruce.
Why has the Regulation come about and who will it protect?
“The Data Protection Act (DPA) 1998 is out of date. GDPR is bringing us into the 21st century in terms of how we handle data and making organisations accountable for how they handle it. It also gives the data subject better rights and the ability to say, ‘I don’t want that to happen. Which hasn’t happened in the past and it’s been exploited. The GDPR applies to all European data. Therefore if your organisation is in a different part of the world and you’re processing European data, you are accountable to the GDPR.”
How does this impact business? Particularly with the prevalence of big data?
Squire Patton Boggs’ Victoria Leigh places emphasis on the need for businesses to comprehend the sheer scale of the fines involved for failing to comply:
“We’ve all heard lots in the press about cybersecurity issues, people are being attacked all the time. Something is going to happen [to your organisation] and the one way of reducing your fine, if you can’t prevent an issue, is to at least show that you have systems in place to try and prevent something going wrong. So you need to start looking at it now so you’ve got time to act.”
Does the GDPR specify how businesses should go about looking after their customer data?
“The bar isn’t set up to prevent any hack or data breach, full-stop. When the regulator is looking at your actions they will look at the security measures that you had in place and whether these were appropriate, the cost of implementing such measures and the nature of the data you’re holding.
“It’s about setting the context of the data you hold and the available measures out there. What’s appropriate for one organisation will not necessarily be appropriate for another.”
This is a particularly crucial point to acknowledge, as industries such as marketing and recruitment are likely to have more considerations regarding the data they hold and are able to use under GDPR, for instance a security company.
Will all emails to large databases have to cease as of 25th May 2018?
“You’ve got to have consent to use that data for marketing. There have been quite a few fines in the lead up to the GDPR already, with people contacting the customer base and asking for consent. So it’s even an offence to do that by email if you’ve opted out.
What should all businesses be doing now?
“Every organisation must understand where they are now, where they need to be and the risks assessed. They must take the view point of, are the risks big enough for us to deal with, at what point should we deal with them, and are we aware of the implications should anything happen?
“Personally I would focus on understanding what the organisation does using a data mapping exercise, what data we hold, how is it looked after from a security perspective, is it being shared, are our sharing agreements in place?”
Has your business begun to prepare for GDPR compliance yet? There’s a lot for every organisation to get in order ahead of the deadline in 12 months to reduce the risk of substantial fines.
Download the GDPR toolkit for instant access to our webinar and two whitepapers to start your GDPR journey off on the right foot.
Disclaimer: The information in this blog is for your general guidance only and is not and shall not constitute legal advice. If you need advice on your rights or responsibilities or any legal advice around data protection matters, please obtain specific legal advice and contact an advisor or solicitor.