In little more than six months' time, the UK Data Protection Act of 1998 that has stood for 19 years will be torn up, and replaced by the EU General Data Protection Regulation – or GDPR as it is commonly termed – representing a complete overhaul in how organisations are to handle personal data.
The new regulation, which the European Union will implement across the bloc, as opposed to a solely UK-based legislative shift, represents a total transformation in the way organisations will be required to protect our data.
Moreover, the more extreme end of failure to comply will certainly cause companies to sit up and take note, with the risks extending to mammoth fines and a significant erosion of brand credibility.
However, this regulation is not purposefully designed to impose financial grief nor laud the threat of public humiliation over European businesses, but instead should be seen as an opportunity for greater emphasis to be afforded to information security, and the processes that support this across organisations.
What should businesses be doing?
Those companies in possession of a wealth of personal data need to perform a deep dive into the digital practices they deploy to safeguard it, thus assessing their readiness for the GDPR.
The responsibility now falls on firms across the board to address questions around whether they understand the risks associated with those systems that process personal data. Are they prepared to respond to a breach in accordance with Articles 33 and 34? Can they respond to a data subject's request to ‘be forgotten?
Companies need to ensure that they actually sit within the minority (31 percent) that are actually prepared for the GDPR.
Close examination of compliance is now a priority. A wholesale data audit is fundamental to assess how data is processed; on what legal grounds, who has access to said data, and what is the process deployed for capturing it.
There is, of course, no harm in asking for help.
Turning to those technology firms who consistently deal in data would be a wise first port of call. Those with the technical expertise and the appropriate tools and services to help organisations demonstrate a firm grip over their data, and the tangible security threats that come with it, would be the best course of action.
The next steps are to implement data protection by both design and default, through strict policy, process and procedure documentation, create an incident response and breach notification plan, draw up of the appropriate legal documents that include consent, data processing agreements and contracts, and, finally, implement the required technical measures.
What does non-compliance look like?
The cost of non-compliance could be catastrophic, with firms standing to face huge fines of up to €20 million or four percent of global turnover – whichever is greater.
As the growing threat from cyber-attacks continues to evolve in sophistication and volume year-on-year, data breaches are almost inevitable. In 2017 alone, multinationals such as Deloitte, CeX, Yahoo, and Equifax comprise only a few names from an unenviable list of companies who have fallen foul to the perils of hackers.
For those companies for whom data is paramount to their success, the financial risks and the questions over the efficacy of their data handling practices could well be their undoing if they put a foot wrong.
From the bottom up, internally organisations must evaluate how – and why – stronger information security practices can contribute to constructing a compelling case in response to any uncertainty that emerges surrounding GDPR compliance.
Why should consumers care?
Though this new regulation builds on pre-established data protection laws, businesses will need to take a new approach to managing consumers' responses, as they will have more power and control over their data than ever before. Education is important as the business implications themselves.
The changing realities of data protection calls for a previously unseen level of data transparency. Companies need to find out where their data is and dig deeper into the policies that are already in place governing its use.
The evolving digital landscape and the integral nature of technology to modern-day business operations mean that the new regulation must be front-of-mind for business leaders, rather than just IT departments.
Personal data – whether it belongs to customers or sits internally with the HR or finance department, for example – could be unknowingly vulnerable, but ignorance will not be an excuse that flies under the GDPR.
The key however, is for businesses to treat compliance as less about the stick and more about the carrot. Process and awareness are equally as important as consequences.
Contributed by Chas Moloney, Director, Ricoh UK
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.