This article has also been published in South West Business Insider, and the article can be found online here.

With the General Data Protection Regulation (GDPR) just around the corner, it is surprising to see that so many businesses are still not prepared for the drastic changes that will take place from May 2018.

The GDPR contains much stricter conditions which must be followed when obtaining consent for processing, handling or storing personal data. There will be a number of key changes including increased individual rights, direct obligations on data processors and harsher penalties will be bought into companies who are not compliant.

Are people prepared for GDPR?

Ashfords recently undertook a survey with South West Business Insider which looked at how prepared businesses are for the imminent GDPR changes.

Almost 3% of organisations answered that the changes were of little or no importance, whereas 50% answered that it was just as important as other compliance issues for the business. This is a concerning response as GDPR is going to hugely impact a number of organisations, no matter what sector or industry they are in.

Over 90% of participants from the survey noted that their organisation processes customer, client and employee data. This is a substantial figure reinforcing the importance of why companies should be fully aware and prepared of the new data protection regulations that will be coming into force.

Although the GDPR changes may not be of high importance to many, over 56% of companies have taken initial steps to prepare for their arrival, while 34% of companies have not yet started this important preparation.

Enforcement

So far this year we have seen a number of more significant fines being handed to companies for not complying with the rules and regulations around data protection. In the run up to GDPR the Information Commissioner has made it clear to businesses that it does not matter what size you are or what sector you operate in, all businesses must take data protection seriously.

The Information Commissioner has made it clear that GDPR is designed to facilitate the digital economy not inhibit or prevent trade, but she has said that she will not be shy of using her new enforcement powers if necessary.

The increased fines will be 4% of global annual group turnover or €20 million; whichever is greater. So the financial consequences for businesses could be significant. However you must also think of the reputational damage that a data protection breach could do.

The government has also just published the Data Protection Bill which includes some criminal offences for data protection breaches.

As well as this, organisations need to be aware of the Information Commissioners ability to order the deletion of personal data.

What should businesses do now

We would encourage that companies start preparing for the new GDPR imminently. Here is a list of areas companies should start reviewing now:

  • Audit - conducting an audit of all data that you process to ensure that any unnecessary data is deleted
  • Policies - start creating policies to ensure that everyone within your business is being compliant
  • Consent - ensure that all consent is active, do not rely on pre-ticked boxes
  • Evidencing compliance - keep a trail of decisions in respect of data processing and carrying out privacy impact assessments where required
  • Internal breach procedures - keep these procedures updated and include preparation of incident response plans
  • Training - all staff members will need to be trained on the new GDPR rules
  • Data Protection Officer - check whether you are required to appoint a Data Protection Officer for your company
  • Review - a check should be completed on existing supply chains, contracts, templates and insurance arrangements as some of these may need to be renegotiated and reviewed to check that coverage extends to data breaches.