GDPR! It’s a topic which seems to be on everyone’s lips and yet when a colleague recently attended a business show the organiser was complaining that they could find no-one to deliver a seminar on the subject.  Perhaps that’s not so surprising. The General Data Protection Regulations don’t take effect until 25 May 2018 and, despite the advanced publicity, many businesses have yet to fully appreciate how the new regulations will impact them. So much so that in July 2017 a BBC survey revealed that just 27% of businesses had started their GDPR preparations.

What is GDPR? The regulations have been drawn up following an EU directive and are essentially designed to replace the existing UK Data Protection regime. As such, the GDPR introduction is being led, and will be overseen, by the Information Commissioners Office (ICO). Before we go any further, perhaps now is the time to bust some myths about GDPR:

• Brexit won’t stop GDPR happening. The regulations apply not only to those companies which operate in the EU but also to those which offer goods or services to individuals within the EU. The government has therefore confirmed that GDPR will go ahead irrespective of Brexit outcomes.
• The fact that GDPR replaces an existing regime does not mean that companies can carry on as before. Not only does GDPR apply to automated data as well as manual filing systems, the definition of personal data has been expanded to take account of technological developments. This means that even some forms of anonymized data fall within the scope of the new regime, depending on how difficult it is to trace the data back to a particular individual.

Whilst there are some exceptions, such as data being retained for reasons of national security, in general organisations which retain any form of data which can be deemed to be personal to an individual could be subject to GDPR. The regulations also require companies to document the decisions which they have taken in respect of a processing activity. Here again there are different requirements for companies depending on size with the threshold currently set at 250 employees. Having said that, companies will have to demonstrate that data protection is a cornerstone of business policies and practices.

What next?

Where does this leave businesses who are preparing for the regime change? Well for a start they may have to undertake a complete data audit in order to build an understanding of what data they hold, in what form and how it is used. But GDPR isn’t simply a data question and it should not therefore be confined to the IT department. For a start, GDPR directly impacts on directors duties, particularly in terms of risk appraisal and management. The Information Commissioner has commented that companies have to “Understand and mitigate the risk they create for others in exchange for using a person’s data.” This includes taking account of the impact of data management on society and the potential risks which accompany data breaches.

More importantly, GDPR also spreads the responsibility for respecting personal data across the entire organisation. Again quoting the Information Commissioner, directors will need to create a framework which is “used to build a culture of privacy that pervades an entire organisation.”  So training is the order of the day, building an awareness of the importance of data security and management which pervades every aspect of a business, every person and every decision.

Is GDPR a lot of work? Well, it partly depends on the way in which organisations currently treat and respect personal data. In businesses with a strong culture of customer awareness there may simply be a requirement to strengthen existing practices whilst other organisations may require a complete overhaul of their data management systems. Either way, if you haven’t yet started down the GDPR trail then now is the time to act. Oh, and if you need an incentive, the maximum fine under data protection regulations was £500,000; under GDPR this has risen to €20M or 4% of global annual turnover whichever is the greater.