Ian Sharpe, Branch Director for Bluefin in Swindon gives us an insight into the new General Data Protection Regulations (GDPR), explaining what it is and how you need to prepare.
Data protection and privacy laws are currently a very hot topic. The biggest reform in two decades is currently underway, impacting businesses across Europe. But do you know what it means and more importantly how it will impact you and your business?
The new legislation, redesigned for the 21st century, gives both private and business customers increased rights and controls over their personal data held by your business. You will be required to:
- Acquire explicit consent from customers before collecting sensitive data
- Obtain consent from parent/guardian before processing data for minors
- Demonstrate how “clear affirmative action” was used to gain this consent
- Adhere to new restrictions on how you use data held to “profile” customers
- Understand and adhere to the new and enhanced rights your customers have, including the right to erasure and enhanced access rights
- Demonstrate and verify how you comply with the legislation
GDPR and cyber risks
When the new legislation takes effect on 25 May 2018, companies could face significant fines for failing to comply. The maximum fine for a breach of the data protection act is £500,000. A breach of the GDPR could result in a maximum fine of EUR20M or 4% of total worldwide annual turnover, whichever is higher. In 2015, 74% of small and medium businesses reported a security breach, leading to an estimated £908m in fines.
It is worth noting fines aren’t the only issue for businesses facing a security breach. Reputational damage, business disruption, and loss of revenue are also key risks.
Fines are not limited to security breaches. The highest fines that may be imposed by data protection authorities relate to infringements of the GDPR concerning the lawfulness of the data processing, data subjects’ rights (including transparency on how individuals’ personal data is used), and international data transfers.
With the increased fines and expanded scope of GDPR, which also applies to data processors, now is the time to review and remediate existing policies, procedures, systems, and documents.
Risk mitigation strategies
It is increasingly important for businesses to evaluate all the risks they face, and include IT security and protection requirements in their overall contingency strategy. It is increasingly important to check if your insurance adequately protects your business against cyber threats. Not understanding the GDPR is not going to be a good enough excuse, regardless of the size of your business.
For a more detailed overview of your responsibilities under the GDPR visit www.ico.org.uk If you need more information about protecting your business why not visit our website: www.bluefingroup.co.uk