A YouGov survey of 2,000 businesses, which was commissioned by law firm Irwin Mitchell and published in May, found that only 29 per cent of respondents had started to prepare for the new General Data Protection Regulation (GDPR), which will be enforced from 25 May 2018.
GDPR has been described as the “most important change in data privacy regulation in 20 years” and the aim is to better protect EU citizens from privacy and data breaches, while harmonising data privacy laws across Europe. All business owners and IT managers should be aware of the significant changes the GDPR will bring.
The YouGov survey also found that 71 per cent of respondents didn’t know that they could face heavy fines for non-compliance (up to 4 per cent of their turnover or €20m for the most serious breaches). When they were told, 18 per cent said such a fine would put them out of business, while 21 per cent believed it would result in redundancies. Alarmingly, a quarter of respondents didn’t think they’d be able to detect a data breach were they to suffer one.
The GDPR will apply to all companies that store and process the personal data of data subjects living in the EU. So, all UK companies processing data relating to selling goods or services to citizens in the UK and other EU countries, will need to comply with the GDPR, regardless of the UK leaving the EU, which won’t come until long after May 2018 anyway.
While seeking to raise GDPR awareness, UK business organisations such as the Federation of Small Businesses and Forum of Private Business have voiced their concerns that not enough small businesses know about the GDPR, and that they’re less equipped than larger businesses to prepare for compliance and less able to withstand fines.
Although GDPR awareness is likely to be significantly higher among UK law firms, The Law Society has also been publishing reminders via its website. In May it warned law firms that they couldn’t afford to ignore the GDPR, while law societies throughout the UK have also been trying to raise GDPR awareness. Law firms themselves should also be reminding their business customers of their impending GDPR responsibilities.
Knowledge is power
The Information Commissioner’s Office (ICO) is “the UK’s independent authority set up to uphold information rights in the public interest”. It’s committed to helping organisations prepare for the GDPR and has published much information online to this end.
In August, a blog on the organisation’s website, the latest in a series that seeks to “bust some of the myths that have developed around the GDPR”, written by Steve Wood, ICO Deputy Commissioner (Policy), encouraged readers to see the GDPR as an “evolution in data protection, not a burdensome revolution”.
Attempting to reassure businesses, Wood writes: “If you are already complying with the terms of the Data Protection Act [DPA], and have an effective data governance programme, you are already well on the way to being ready for the GDPR.” He concedes that there are new provisions with which businesses will need to comply, and he encourages them to “start making preparations now”.
Commenting on the specific criticism that the GDPR will place an unwelcomed additional burden on smaller businesses, he counters by saying it fails to “recognise the flexibility that the key principles in the DPA and GDPR provide – they scale the task of compliance to the risk”. Moreover, many of the actions SMEs need to take are “practical and straight forward”. The nature of the risk is more of a factor than size of the organisation, he argues.
Wood believes that GDPR compliance is a way for businesses to build more trust with their customers and gain more value from customer relationships. According to ICO research, he says, people would be more willing to “provide their data, and for different uses, if they felt they could trust organisations to handle it fairly, securely and responsibly”. This, he believes, provides a “major opportunity and competitive advantage for those who can demonstrate that they get data protection right”. We’ll soon find out.