If you haven’t already heard about the General Data Protection Regulation (GDPR), or you’ve heard of it but your organisation has yet to prepare for the upcoming changes in rules, now is the right time to start.
GDPR is an EU directive, but the Government has confirmed that it will implement the new law whatever form our withdrawal from Europe takes – so there is no point in delaying your strategy in the hope that Brexit will mean its disappearance.
The basic objective of the GDPR is to enforce stronger data security and privacy rules among organisations when it comes to protecting personal data.
The GDPR, General Data Protection Regulation, law comes into effect in the UK in May 2018.
However, understanding the key elements; auditing current data protection measures at your organisation; documenting all the information you have; ensuring all your data collection and procedures are GDPR-compliant, will be a lengthy process for any medium or large enterprise.
Firms will also need to ensure their security alert systems are equipped to spot and react to any break-ins quickly because, under the GDPR, data breaches will have to be reported within 72 hours. To keep up with all these extra requirements, businesses will also need to appoint a data protection officer, who is responsible for the way they handle and process personal data.
And why is this all so important?
Because failure to comply with the new law can lead to a fine of up to £20m or 4% of global annual turnover, whichever is greater.
The rules are also quite clear on the fact that whoever is responsible for the breach – whether an employee, a malicious attacker, or a partner or other third party – is irrelevant; it will be the organisation that foots the bill and suffers any consequent reputational damage.
Starting this journey sooner rather than later will minimise the risk of a fine, bad publicity or even a legal process.