From May 25th 2018, if your business is found not to be adequately protecting the information of EU citizens, you could be fined by up to 4% of your annual turnover, or 20 million Euros - whichever is greater.
This is the eye watering penalty that will be imposed by the new General Data Protection Regulation (GDPR). It is being brought in by the European Parliament, the Council of the European Union, and the European Commission. The intention is to strengthen and unify data protection for all individuals in the EU.
- These regulations are coming into effect before the United Kingdom will have left the EU.
- Even after Brexit, any business holding information on EU citizens, no matter which country the business is based in, will be subject to the regulation. This means any business in the world is subject to the regulations, if they process data relating to EU citizens.
- If your organisation suffers a data breach, you are under a legal obligation to notify data protection authorities within 72 hours.
- If the breach has a potential adverse impact to the subjects of the data (i.e. your customers or prospects) then they must also be notified.
Clearly, the ramifications of non-compliance can be very damaging to UK businesses. Brexit will be largely irrelevant, as the regulations will likley come in before it happens. Even after Brexit, UK companies will still be subject to these regulations if they hold data on EU citizens, which is likely to be the majority of UK businesses. Have one customer based in Ireland, or Germany? You'll be subject to these regulations.
What Kind of Data is Covered by GDPR?
Any data held by your business on EU citizens will be subject to GDPR.
This is more encompassing than you might first imagine. For example, if you have a digital marketing function of your business, then all of the data they collect on visitors to your website would be subject to GDPR. EU citizens visit your website, you might record the keywords they used, the pages they visited, their names and email addresses when they get in touch via the website or download a PDF guide. Now imagine your business sells something that your customers my not wish the world to know about - you begin to understand why data protection is important.
You might think this is not your concern if you use a cloud based CRM like Hubspot or Salesforce for all your leads and customers. Then isn't it their problem to ensure that data is secure? It is. But it's still your problem too. Are you storing that data anywhere else, even inadvertently? Is it on hard drives? In email attachments? Powerpoint presentations to the Senior Management Team? Do you even know where all that data from the last 5 years or more is hiding? You will now have to account for it all and prove that you're protecting it adequately.
Personal Data Breaches
A Personal Data Breach is defined by the regulations as "a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. A breach is therefore more than just losing data.
Consider the very highly publicised Ashley Madison hack, where millions of users accounts, including their personal email addresses, were exposed. As the primary function of this website was to enable extra-marital affairs, the data was of a highly sensitive nature. This is a perfect example of a data breach, where the data processors (the company holding and using the data) would have to inform data protection authorities AND inform the data subjects, as the breach could result in negative consequences to them.
But you don't have to be a website dedicated to setting people up so they can cheat on their spouses to have to worry about GDPR. All businesses have to worry about it if they hold or process data relating to EU citizens. You might be a property developer, fin-tech company, estate agent, marketing firm, software company, pretty much anything!
Data breaches are a common occurrence, and they don't just involve theft of user account details as was the case in the Ashley Madison incident. The recent NHS incident where data became encrypted by ransomware is another example which would be subject to the new regulations.
Stats On Data BreachesSource - gov.uk
- 65% of large firms in the UK detected a cyber security breach or attack in the past year (2016-17).
- 25% of these experience a breach at least once per month.
- 51% of businesses have undertaken 5 or more of the Government's 10 steps to Cyber Security.
- Only 13% of all businesses set cyber security standards for their suppliers.
- Only 29% of businesses have formal written cyber security policy.
- Only 10% have a formal incident management plan.
- In the last 12 months, staff have had cyber security training in 22% of small businesses, 38% of medium businesses and 62% of large businesses.
These stats show that UK businesses are facing a huge number of potential data breaches and cyber security incidents, and the majority of them are underprepared and underprotected.
When the GDPR regulations come in, UK businesses are likely to suffer harsh penalties.
What Should Businesses do to Ensure they Comply with GDPR?
GDPR can seem like an overwhelming set of rules and regulations that are complex and restrictive. There are a variety of things that businesses can do to ensure they will be compliant when regulations come into play.
- Appoint a Data Protection Officer. The idea of DPO is to have a central person who advises the company on compliance with GDPR and acts as a contact for regulation authorities and subjects of data held by the company. This person should be experienced and well versed in IT, data protection and cyber security.
- GDPR requires companies to appoint a DPO where their core activites consist of either:
- Regular and systematic monitoring of data subjects on a large scale - for example, this could be a CCTV business or a wearable tech device.
- Large scale processing of data in certain categories such as health, religion, race, sexual orientation, etc or relating to criminal convictions and offences.
- Even if you do not have to appoint a DPO under the regulations, it's strongly recommended that you employ somebody, or engage with an external body, who will have the purpose of ensuring your business does not fall afoul of the regulations.
- One option is to engage with a technology partner who specialises in cyber security solutions and can advise you on obtaining ISO 27001 certification, Cyber Essentials, and Cyber Essentials Plus - as holding these certifications will also tick many of the boxes required by GDPR and reduce the likelihood of a data breach.
- Invest in cyber security solutions and employee cyber security training to reduce the likelihood of a data breach. If for some reason you did not feel this was necessary before, does a potential fine of 4% of your annual turnover plus having to notify all of your customers that you failed to protect their data give you enough reason?
Is Your IT Provider Doing All they Can to Help You be Compliant with GDPR from May 2018?
We've put together a list of questions you should ask yourself to determine your readiness for GDPR. It's not an exhaustive list, so if you're answering "yes" to all of the questions don't think you don't need to worry about GDPR! However, the number of times you answer "no" may give you an indication of how much work you have to do before May 2018!