When it comes to the way companies handle and protect data, there’ll soon be a new sheriff in town. The General Data Protection Regulation – or GDPR – is the new legal framework meant to harmonise data protection standards across EU member states. (Sorry, Brexit doesn’t mean you breathe a sigh of relief and stop reading. It’s coming to the UK too) GDPR beyond Brexit. And this new set of laws are stepping into force in less than a year, 25th of May, 2018 to be exact. If you’re not quite sure what we’re talking about or a bit hazy on the details of exactly how it will impact your business, there’s good and bad news.
The good news is that you’re not alone. According to a recent Sophos survey of IT decision makers in Western European countries, over half of UK businesses admitted to having little to no understanding of the financial consequences of not complying with GDPR. The bad news is that you need to start to get to grips with it, and soon.
Why you need to care
€20 million or 4 per cent of your company’s annual revenue, whichever is the GREATER. That’s how much your business could be fined under the GDPR if your data is breached and you are not in compliance with the new regulations. Understandably, it’s the headline reason why businesses need to be looking carefully at preparing for the new legislation. In fact, when faced with these figures, almost a fifth of respondents admitted that, if fined, their business would close. When looking specifically at small businesses with less than 50 employees, this percentage goes beyond the halfway mark. Likewise, nearly 40 per cent of IT decision makers said it would lead to redundancies at their business.
Despite the potential to close businesses and create redundancies, 54 per cent of businesses have little understanding of the fines associated with GDPR and ensuring compliance with the new legislation is not always a priority item. France is currently leading the way in prioritisation with 30 percent of French businesses considering GDPR to be their number one priority and 25 percent of businesses seeing it the same way in Benelux. In the UK though, only 6 per cent cite it as a main priority, Brexit could be partly to blame for this disparity.
The role of Brexit
The research highlighted that many UK businesses think Brexit may mean they no longer need to comply. Over one in four UK organisations admitted that, since Brexit, they are less clear on what needs to be done to comply or think they won’t have to comply. Despite the referendum, however, UK companies will still need to be compliant with GDPR. With formal notice of Article 50 having been given in March 2017, and exit negotiations expected to take at least two years, the UK will continue to be bound by EU law till at least 2019 – long past the GDPR’s May 2018 enforcement date. Furthermore, the GDPR will also be binding on not just companies based in EU countries, but also those handling EU citizen’s data and, as such, will be relevant to UK businesses with EU customers. And to put the final nail in, the UK Information Commissioner’s Office has made clear that the UK will implement the GDPR beyond Brexit.
Are we ready?
With just under a year to go until the GDPR comes into force, some businesses in Western Europe are taking steps to ensure they are ready. Almost one in five businesses claimed to be already compliant in France and Benelux, however, the UK has less than 10 per cent of businesses currently identifying as GDPR compliant.
With data breaches occurring on an almost daily basis across Europe, day-to-day top priorities are often related to the need to reduce the risk of falling victim to an attack. Concentrate on stopping the biggest causes of data breaches by making sure the basics are in place: keep all operating systems and software up to date, implement encryption for sensitive data, and educate all employees about the risk of phishing and other social engineering attacks. Once that is done (and it needs to be done fast) you can start to focus on prioritising GDPR.
As stated, some businesses in Western Europe are taking steps to get ready for GDPR, and 42 per cent believe they will be ready. However, there is still a lot of ground to cover:
- Only 42 per cent have created a Data Protection Officer role – a much smaller number than expected
- Currently only half of organisations have measures in place to ensure the individual whose data is being collected gives consent for data collection
- 44 per cent have procedures in place to delete personal data in the event of a “right to be forgotten” request or if an individual objects to the processing of their data
- And less than half are able to report a data breach within 72 hours of its discovery
The good news, however, is 65 per cent of organisations do already have a data security policy in place, and 98 per cent of organisations either have or are currently implementing a formal plan for employees that outlines what the data security policy is and what is expected of employees when they handle personal data. This shows that organisations are making headway in promoting data security in the workplace and encouraging employees to take the matter seriously, making the next step in becoming compliant with coming legislation an easier transition.
Despite the challenges with adopting the required changes, the GDPR will also deliver the important benefit of harmonising data protection laws across 28 nation states. For businesses delivering services across EU countries, it’s expected to ultimately reduce compliance costs, complexity, risks and uncertainty and ensure people’s data is adequately protected.
John Shaw, VP Product Management, Sophos
Image Credit: Wright Studio / Shutterstock