Is your business prepared for major changes to data protection regulations?
Operations Director Andy Jenkins discusses upcoming changes to data protection regulations and how your business should prepare for them – or could face a hefty fine.
When a change to the law around data protection hits in May 2018, businesses could face fines of up to four per cent of their turnover or 20m Euros (whichever is greater) for breaching the new rules on how they collect, store, use and protect individuals’ personal data.
The new General Data Protection Regulation (GDPR) runs on from the Data Protection Act (DPA) which is now outdated in today’s cyber world. It will involve much more specific rules around the definition of sensitive information and how it is used, the length of time that data can be held for and still used, tougher consent rules in terms of how organisations approach an individual for their data – the ‘opt out’ approach must be replaced by an ‘opt in’ approach – and much heftier penalties if any of these rules are breached.
Breaches will have to be assessed on a case-by-case basis and a notifiable breach must be reported to the ICO within 72 hours of the organisation becoming aware of it. These resulting fines will have teeth come 2018, and if a business is unable to show a robust audit trail of how data has been collected and stored, the consequences could be severe.
It is therefore very important that businesses take heed of these changes now and assess whether their data protection compliance is in order. The current feeling is that if a business is fully compliant with the DPA, it should be at least 80% compliant with GDPR, which is reassuring, but still means that all businesses should be turning their attention to the issue even if they are doing everything right currently.
When these new rules hit, it will be more important than ever for businesses to have the right heads of cover in place for cyber-crime, as data protection breaches will pose real financial risks. We predict the change in the rules will add tangible demand to cyber liability products because every business, no matter how small, holds on to some form of personal data. Every business needs financial protection and robust policies in place to demonstrate it understands where its data has come from and how it was obtained. This is now a ‘must have’ rather than a ‘should do’ as it may have been viewed historically.
In addition to the new rules, businesses and organisations which are public authorities or which carry out large scale monitoring of individuals will also have to appoint a Data Protection Officer. This person will be in charge of policing policies and compliance of new digital assets under the GDPR. It will be their job to assess risks, train staff, cyber audit and report to the authorities if there is a breach.
In good time for these changes, we’re advising clients to revisit their business model, assess the cover they have in place for cyber-crime, investigate their data protection approach and be as critical as possible when seeing if it stands up to scrutiny – because by this time next year silence, pre-ticked boxes or inactivity will not constitute consent of an individual to hold their personal data.
If you feel your business could do with a cyber audit, then please get in touch with one of our team who will be happy to have an informal chat about your needs.