GDPR - do you know what’s coming?
The biggest change to data protection and how businesses process personal data in 20 years is set to take place when the new General Data Protection Regulation (GDPR) comes into effect on 25 May 2018. Compliance with GDPR is not optional and so businesses, charities and public bodies are in a race against the clock to get ready for the changes. But are they ready for GDPR?
According to a survey report of small businesses by Aldermore bank, two in five small and medium-sized firms in London have not heard of GDPR and bosses of 420,000 businesses in the capital are not aware that they will have to report data breaches and give consumers the right to be forgotten. These results are extremely worrying because there is a real danger of cyber-attack for all businesses, a risk that is only going to increase due to an economic activity moving to a digitalised world, and therefore businesses are leaving themselves open to huge fines as well as reputation damage if changes are not made to comply with GDPR.
There are also concerns that UK charities are failing to prepare for GDPR. According to a survey by The Guardian newspaper of more than 300 UK charities, whilst most charities are taking changes seriously, a worrying number of small charities are yet to take any steps towards compliance. The survey found that over one fifth of respondents (22%) have said that they have not taken any steps at all. Similarly, a survey of major global brands by the World Federation of Advertisers (WFA) suggests that the majority of marketing businesses do not understand the full implications of the GDPR and are not equipped to deal with the legal consequences. According to the WFA‘s research 70% of brand owners are not fully aware of the extent of GDPR, 65% expect to be fully compliant in May 2018 and only 41% have a strategy in place to comply with the new law.
It is a concern that only eight months away from the date on which GDPR comes into effect many organisations do not understand its full scope and are not yet preparing to be compliant. Fines of up to €10m or 2% of group worldwide turnover (whichever is greater) for less serious infringements or up to €20m or 4% of group worldwide turnover (whichever is greater) for the most serious infringements of GDPR. Whilst the Data Protection Bill (which will bring the GDPR into domestic law) is still working its way through Parliament, the GDPR itself is in final form. Organisations need to educate themselves on GDPR and understand what personal data they hold, what its purpose is and where it originated from. They can then begin to formalise a plan to prepare for GDPR by taking steps such as prioritising data protection, reviewing consent mechanisms and updating privacy policies. As 25 May 2018 is approaching fast, the time for action is now.