GDPR – There’s Still Time to Make Changes Your Business
Six months on from the introduction of General Data Protection Regulation (GDPR), our Operations Director Andy Jenkins looks at the impact of the regulations and why it’s not too late to make changes to your business.
“General Data Protection Regulation (GDPR) came into force in May, running on from the Data Protection Act (DPA). It involves much more specific rules around the handling of Personally Identifiable Information (PII) and Sensitive Personal Information (SPI), the reason that such data is held and the length of time that data can be held for. There are also tougher rules in terms of how organisations approach an individual for their data, and much higher penalties if any of these rules are breached.
“Breaches are assessed on a case-by-case basis and a notifiable breach must be reported to the ICO within 72 hours of the organisation becoming aware of it. If a business is unable to show a robust approach to the whole area of data security, the consequences could be severe. It was recently reported that the average fine issued by the ICO for failing to have adequate data security has doubled to £146,000 in the year leading up to 30 September 2018. This increase comes as no surprise because the number of notifiable data breaches is increasing and the new regulations are aimed at encouraging businesses to improve their approach to data security. For any business which doesn’t have plans in place, the ICO could come down on them very heavily in the event of a data breach.
“At Russell Scanlan, we’ve seen an uptake in the number of businesses wanting quotes for cyber insurance policies because they not only see the ICO is a regulatory body with some teeth, but most policies offer cover that provides access to experts who can manage and mitigate the effects of a data breach. For businesses, particularly small businesses, it’s difficult to wrap your head around dealing with the aftermath of a data breach, but it’s also a matter of having adequate resources available to deal with it. There’s nothing to stop businesses which are a bit behind the curve from taking action and improving their stance on data-related matters – it’s better to do it now than reactively in the event of an incident. Raising awareness around the issue of data breaches and GDPR will hopefully make businesses think about data and data security, which will lead to a more secure environment all-round.”