Advances in technology along with high profile breaches have meant that you would be hard pushed to find a business not thinking about data protection. However, with less than 18 months to go until the largest shake up in European data protection regulation in 20 years, could businesses be doing more to get prepared?
The GDPR will introduce a number of new concepts and significantly raise the bar across the board, although barely any of the fundamental elements of today’s laws have been scrapped. One of the most important changes for businesses to note is that the potential financial penalties have substantially increased – under the new laws fines could be up to the greater of €20 million or 4% of global annual turnover. Furthermore the GDPR takes a risk-based approach, which means that all businesses, no matter what size, will have to address their current levels of compliance.
Certain businesses, such as those with a significant digital presence (retailers or online publishers for example) or those that handle sensitive information (such as clinical data) or who undertake sensitive practices (for example profiling or making automated decisions about individuals) will inevitably have an inherently higher risk profile. Even businesses that don’t deal with consumer data as part of their core business will need to think about the GDPR in the context of their HR data.
The regulation will take effect on 25 May 2018, with Brexit making no difference to this timeframe (as confirmed recently by the ICO, the UK’s data protection regulator), and businesses can and should be preparing now so that they are on the front foot. The most important things to consider at the early stages of your GDPR preparations are:
- Accountability: Who are you going to put in charge of leading this area? Are they sufficiently knowledgeable? Are they sufficiently resourced? Are the right reporting lines in place?
- Awareness: Who needs to know about the GDPR? This isn’t just something for IT or data officers. Boards should be aware of the risks, HR teams need to think about employee data and getting GDPR compliance right will be critical for marketing and communications teams’ activity
- Audit: What data do you have and where is it stored? What are you doing with it? Do any third parties process the data? Conduct a data mapping exercise and review your notices and consents.
- Assess: What are the gaps revealed by your audit? Where are the easy wins? Where are the opportunities? Prioritise accordingly.
The final thing to remember is that you can drive engagement by making this more than just an exercise in compliance. Today’s technologies and marketing practices mean that there are endless opportunities to extract value from your data – getting ready for the GDPR may actually facilitate this and will lower the risk of doing so.
Alexandra Leonidou, Senior Associate, at Foot Anstey. Alex recently joined Foot Anstey from an in-house role at Warner Bros. Entertainment and is a specialist in data protection. For more information on how you can prepare for the GDPR or to discuss data protection further please contact firstname.lastname@example.org