The EU GDPR: The clock is ticking for UK businesses

Across the globe, an alarming number of widely known businesses are falling victim to data breaches. Public concern over the safety of private data is becoming increasingly prevalent, due to the large amount of media coverage surrounding prolific scandals like last year’s incident at TalkTalk. Those concerned about these events are right to be; the breach at TalkTalk alone resulted in the addresses, credit card details and account information of four million customers being put at risk. The good news for consumers is that their concern is shared by legislators in the European Union. In fact, for many years the EU Commission been preparing for this legislation, having taken it upon themselves to prevent these data breaches from becoming commonplace by placing an ever larger burden on the organisations potentially being targeted by cybercriminals.

Preparing for the GDPR

Officially adopted in April, the impact of the European General Data Regulation (GDPR) will be felt across the continent, including in the UK, when it comes into full force in 2018. As a replacement for the established Data Protection Directive – created to regulate the progression of personal data in the EU – the GDPR will be by far the most significant to data protection in the EU since 1995.

Despite Brexit, UK businesses need to be ready to align to the EU GDPR. The new regulations will affect all businesses with operations within the EU, regardless of where their head office is located. This means that, post Brexit, UK based businesses are urged to become familiar with the new regulations in order to be prepared for when they come into effect. The vote to leave the EU does not change this.

The most obvious change is that it will increase the penalties and fines associated with non-compliance and for suffering data breaches. Fines for infractions are grouped into industry tiers, resulting in different fines related to the activities of the organisation. Administrative fines will be set at a minimum of two per cent of global turnover, though some offenders could face fines as high as four per cent. The significantly increased fines alone will bring headline grabbing figures usually seen in the US. Had last year’s TalkTalk data breach occurred under the GDPR, the company’s fines could have amounted to a staggering £90 million.

The regulations also include a public breach notification clause, which will require companies who fall victim to a data breach to notify regulators within 24 hours of discovery. In many cases, regulators will also be required to release the names of these companies, for the sake of public safety. This will likely result in companies facing irreparable reputational damage, decreased share values, eroded client trust, reduced employee allegiance and loss of business to competitors – adding a tremendous impact on top of those already faced by companies who have been the target of a data breach.

Preparing for compliance

Although the GDPR gives some leeway to small and medium-sized enterprises (SMEs) deemed to pose a smaller risk to the privacy of citizens, even 'one-man-bands' will be expected to be fully compliant with the regulations. They must manage their data just as closely as their larger counterparts, avoid introducing unnecessary privacy risks and consider the risks their business practices pose to the privacy of their customers.

With the new regulations having been adopted in April, the two years allotted to companies to achieve compliance means time is already beginning to run out. Given the complexity to align, it is recommended that organisations take a much more proactive approach sooner, rather than later. In order to avoid facing heavy fines, or worse, being publically named as untrustworthy, businesses need to ensure they remain in control of their systems and prevent the threat of a data breach.

Lewis Henderson, Director, Client Engagement at Glasswall Solutions

Image Credit: Jiri Flogel / Shutterstock