by Myles Thomas (Data Compliance researcher)
Business across Europe and indeed the rest of the world are preparing for the General Data Protection Regulation (GDPR) in readiness for its implementation on 25th May 2018. It is safe to say that it is producing a feeling of unease for businesses, as many organisations have not been run with data protection as a primary consideration. A survey (of 1000 people reflective of the British Population) based on 2016 Annual Track by the Information Commissioner’s Office found that 79% of people did not trust businesses with their personal information.
Considering these figures, the GDPR is a positive evolution for data protection. The progression focus for companies should be to emphasise data protection from the outset and throughout their processes, learning to enhance their understanding and respect for individuals’ data protection rights. These enhanced rights under the GDPR challenge whether companies are aware of precisely what information has been captured, where it is stored, who it has been shared with and most importantly… can the entirety of this data be safely recalled and accounted for.
The proposed sanctions for non-compliance are high, with maximum fines being 4% of turnover or 20 million Euros, however, the ICO is only likely to issue these fines (proportionally) in certain scenarios. Overall it can be considered to be a positive development if they are encouraging more organisations to consider data protection as part of their DNA. Companies must accept that potential data security breaches are an inevitability, they should focus on data minimisation and have a structure in place to deal with them, rather than assuming the company is immune to those risks.
The United Kingdom is in a seemingly more precarious position than the rest of Europe; with Brexit looming and the difficulties in predicting how the GDPR will be applied once it is in force. The UK has the largest internet economy as a percentage of GDP out of all the G20 countries, so it must prioritise how it can keep European data safe, and encourage the EU to consider it a safe place for data transfers. The UK has recognised this by beginning to draft a new Data Protection Bill which mirrors the GDPR to a large extent. Its relevant authority, the ICO, is taking steps to get us up to speed with the legislation; providing information, blogs, webinars and tools to facilitate this. The National Cyber Security Centre is also publishing regular blogs and guidance, making it a relevant and viable resource for businesses; aiming to make the UK the safest place to live and do business online.
I would direct your attention to the following as a starting point:
An introduction and the twelve steps for preparing for the GDPR: https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf
A series of blogs from the ICO dealing with any myths surrounding the GDPR: https://iconewsblog.org.uk/tag/gdprmyths/
A Data protection self-assessment toolkit which allows businesses to analyse different areas and highlight what they are and aren’t doing well:
https://ico.org.uk/for-organisations/resources-and-support/data-protection-self-assessment-toolkit/
The NCSC guide for Cyber Security for small business (SMEs): https://www.ncsc.gov.uk/blog-post/cyber-security-small-business-guide