What pitfalls await your business on its way to GDPR Compliance
GDPR compliance means that your business needs to be classified as compliant with the new General Data Protection Regulation. In only a couple of months, GDPR compliance will be even more important than adhering to the currently active Data Protection Act of 1998. This General Data Protection Regulation will be in effect starting from the 25 May 2018 and while this might seem far in the future, with all the changes it will bring about, it might as well be right around the corner. The purpose of this article is to help you better understand the General Data Protection Regulation criteria and assist you in preparing your business for GDPR compliance. Below you can read about the following points:
- What makes GDPR compliance more important than the currently active DPA compliance ?
- Which businesses should worry about GDPR compliance ?
- How long do I have to prepare my business for GDPR compliance ?
- What penalties await businesses that fail to demonstrate GDPR compliance ?
- What does Personal Data mean in the context of the GDPR compliance requirements ?
Why is GDPR Compliance more important the previous DPA Compliance ?
What are the consequences of failing to demonstrate GDPR Compliance ?
To understand the importance of GDPR compliance, one needs to take DPA penalties into account. Currently enforced by the Information Commissioner’s Office (or ICO for short), the Data Protection Act of 1998 has the following sanctions in place
- Monetary penalties – Ranging up to a maximum of £500 000, these penalties are usually enforced for serious DPA breaches.
- Prosecutions – Breaching the DPA on purpose can result in heavy prosecutions, including, but not limited to, prison sentences.
- Enforcement Notices – the DPA dictates that organisations who are in breach with the act are to take specific steps in order to be found compliant with the law.
- Audits – Every company or government department can be subject to an audit by the ICO should they see a need for it. Consent is not required.
There has been a steady rise in the number of businesses, fined by the ICO since the implementation of the DPA, as clearly shown below:
- 2010: saw a total of 2, fines adding up to £160,000
- 2011: saw a total of 7, fines adding up to £541,100
- 2012: saw a total of 17, fines adding up to £2,143,000
- 2013: saw a total of 14, fines adding up to £1,520,000
- 2014: saw a total of 9, fines adding up to £668,500
- 2015: saw a total of 18, fines adding up to £2,031,250
- 2016: saw a total of 21, fines adding up to £2,155,500
- 2017 January: saw a total of 2, fines adding up to £170,000
As of right now, the ICO is yet to issue a monetary penalty higher than £400 000. That does not sound that harsh, does it? Well, once the General Data Protection Regulation rolls in, the fines will see a dramatic increase. The upper penalty limit will see a 4000% increase, ending up at £20 000 000 or 4% of the annual global turnover of the given business. This makes GDPR Compliance absolutely essential for any business owner, regardless of their size or niche.
Does my business need to care about GDPR Compliance ?
Which businesses should be concerned for GDPR Compliance ?
To determine whether your business will be affected by the new General Data Protection Regulation, think about the following questions:
- GDPR Compliance is a must if your company processes the data of EU data subjects
- GDPR Compliance is a must if your company processes the data of minors
- GDPR Compliance is a must if your company is not ready to immediately report data breaches
- GDPR Compliance is a must if your company stores data subject information for extended periods of time
If you answered even one of the questions above positively, then you most certainly need to take GDPR compliance seriously. As a matter of fact, ensuring that their business can demonstrate full GDPR compliance should be on the mind of each and every company owner who works with digital data.
GDPR Compliance facts:
- GDPR Compliance is a must even if you are not located within the EU, as long as you process data of EU subjects.
- GDPR Compliance affects UK businesses even post-Brexit
- GDPR Compliance is especially important for SMEs where cyber security is often an afterthought
- GDPR Compliance will make the implementation of privacy by design and privacy by default a must
Remember that the penalties for failing to demonstrate GDPR compliance are many times worse than the DPA ones. And unless you are willing to part with a significant sum of money you should look into ensuring your compliance as soon as possible.
How long do I have to prepare my business for GDPR compliance ?
Should I already be worrying about GDPR Compliance ?
The short answer – YES! You should absolutely begin preparing your company for the General Data Protection Regulation right away. To elaborate – the sooner you start, the more time you will have to ensure that everything is working as it should be. There is a multitude of harsh and strict GDPR compliance requirements that you need to take in mind, educate your team about and implement. As with everything in business, new processes require a new mindset. And that is a lot more time-consuming than merely writing what should be done on paper. A simple mistake here could end up costing you a serious sum of resources that could otherwise be dedicated to improving your business, hiring new staff or introducing new and productive practices. Do not delay – take action now!
According to the IT Governance GDPR Compliance Report, 41.2% of respondents pointed out that the person in charge of their compliance project is not in possession of a formal or relevant data protection qualification. A stunning 13% stated that they have no idea whether the person is qualified or not.
Finding qualified staff is becoming increasingly difficult, especially with the quick approach of the GDPR compliance “deadline”. Should you find yourself unable to find a qualified new team member to manage your GDPR compliance project, you will need to appoint an existing staff member. This means extensive and exhaustive training that could easily clash with his current tasks and priorities. Starting the process as soon as possible will most definitely save you an insurmountable number of headaches and hassles.
Seven GDPR Compliance steps to take right now:
- Understand the essence of GDPR Compliance and how it affects your business.
- Identify your current GDPR compliance levels.
- Identify gaps and what needs to be done to amend them.
- Ensure that your information security management system is in line with the internationally accepted standards.
- Document your GDPR compliance and company information security policies.
- Understand what actions you should take in the event of a data breach.
- Ensure that your staff undergoes the appropriate levels of security awareness training.
Why is failing to demonstrate GDPR Compliance penalised so hard?
Who can risk delay in their preparation for GDPR Compliance ?
Short answer - Nobody.
When looked at from a user standpoint, asking businesses to demonstrate GDPR compliance is a way to defend the privacy rights of every individual. Why should users be exposed to unsolicited messaged, fraud attempts and cyber-attacks as a result of some company’s carelessness? Do you happen to particularly enjoy seeing your inbox full of fraudulent SPAM messages trying to sell you the “latest and best product that will make your business/personal life 1000 times easier”?
Do you feel secure in the knowledge that, at any point in time, a clever cyber-criminal can get a hold of your social accounts, credit card details or social engineer his way into your life? Well, nobody does. And with cyber security being as hot of a topic as it currently is, the General Data Protection Regulation was bound to happen sooner or later. Strict data management is an absolute necessity, especially in our day and age. Security and privacy should not be an afterthought.
In closing, ensuring that their business can demonstrate full GDPR compliance should be a priority for every company which processes digital data. As a well-established London-based provider of Cyber Security and Online business solutions, Go Live UK can assist you in your preparation for GDPR compliance. Click the button below to get in touch with our experts right now and begin your journey to a safer, GDPR-compliant business!