GDPR comes into effect in May. What does this mean for businesses?
By 25th May 2018 all businesses will have to be compliant with the new General Data Protection Regulation (GDPR). This EU directive sets a new standard for organisations who collect, store and process personal data. With a host of high profile data leaks recently hitting the headlines – including flagrant abuses of our data – it seems that GDPR can’t come soon enough. But what will it actually mean for businesses and individuals?
An overhaul of data collection
A traditional operating method of many companies has been to collect as much of our data as possible, even if they have no foreseeable applications for it or even the desire to use it. Not any more. GDPR will put an end to the indiscriminate harvesting of our information. It will only be possible to collect data for ‘legitimate, explicit and specified’ reasons, and only then if a person has consented to this in advance. If companies can’t demonstrate that they have a clear need for our personal details, then they are not entitled to collect them. They will also have to ensure that our personal data is kept up to date, and is processed in a secure way. Individuals can demand at any point that all personal data held on them is deleted, including any that is held on backup files. Any organisation in breach of GDPR can be fined up to 4 per cent of their annual turnover or €20 million, figures which should give companies a strong reason to get their data policies in order.
Taming the wild west of data
The changes in store with GDPR will usher in a new data landscape for businesses. However, adapting to new and rigorous regulations isn’t always easy. Will companies face significant challenges in GDPR compliance? As Karen Schuler, Head of Data and Information Governance at professional services firm BDO USA states, many businesses still aren’t fully prepared. “We’re seeing that staff are not yet trained in GDPR,” she says. “There are limited numbers of companies with data protection officers, and incident response plans are not yet in place to ensure compliance with the 72 hour breach notification requirement.” Instead, companies have been thinking short term. “There has been a strong focus on penalty avoidance. But we think they should use GDPR as a springboard to reap the ‘silver lining’ benefits to GDPR, such as the chance to improve performance.”
GDPR, then, provides businesses with the perfect opportunity to streamline their data processes. This will make data more manageable, cutting down both administration and storage costs. However, untangling these multi layered and often haphazard systems is no mean feat. “Some enterprises have so far not identified relevant business processes, systems and data sets likely to contain personal data, or how this is organized at their vendors,” says Schuler. “Companies need to pin down those processes within their walls but also along their supply chain or across distributors and who’s responsible at each point or stage. This will be vital in determining responsibilities as a data ‘controller’ or data ‘processor’—or in some cases, both.”
Data security is an important part of GDPR, as the new regulations attempt to mitigate the numerous high profile hacks, cover ups and dodgy data dealings of the past. As a minimum, companies must ensure that they have basic protection methods in place, such as patch management, strong passwords, firewalls and encryption. This being said, it will never be possible to completely eliminate the threat of hackers. Karen Schuler notes that it will be increasingly important for businesses to show that they take data security seriously. “Not only must preventive measures be taken,” she says, “a plan must also be prepared in case security measures are circumvented by a hacker. In the event of an incident a company needs to be able to demonstrate that it has acted with all due care. This ‘demonstrability’ in the event of data leaks will be important, also when it comes to reputational damage.”
As cyber attacks become more and more sophisticated, it is becoming increasingly difficult for businesses to protect themselves. Whilst GDPR won’t eliminate data breaches, it will alert companies to the importance of taking data seriously. From the kind of information that is collected to the way it is stored, the need to protect customer data will go hand in hand with a business’s need to protect itself. GDPR will turn data security into self preservation.
Is your business prepared for GDPR? What are the biggest challenges in the future of data collection? Do the new regulations go far enough in protecting our personal information? Share your thoughts.
For more insights into the world of data, sign up to our free weekly newsletter.