The new EU General Data Protection Regulation (GDPR) is set to be the biggest shake-up to data privacy legislation in a generation. The regulation comes into force in May 2018 and will affect businesses across the globe.
The geopolitical shifts of 2016 and 2017 have put preparation for GDPR on the backburner. With Brexit focusing minds in Europe and a new American administration changing long established trade deals, European data protection regulation has hardly been front page news. As a result, the business community is worryingly unprepared for the impending deadline.
So, why is GDPR so important? Nicola Colleran, Technology Consulting Director, RSM Ireland suggests that, “The roll out of GDPR will change how business and individuals think about personal data. Businesses will need to have good reasons for capturing personal data and for using it. GDPR will drive more accountability for data protection at management level.”
While GDPR is a piece of EU legislation, it will also affect organisations located outside the EU, who provide goods or services to people in the EU, or gather data on the behaviour of people in the EU. Understanding the changes to the existing processes under the new rules is paramount.
Steven Snaith, Partner, RSM UK cites progressions in technology as the main driver behind the implementation of the new regulation, “Digital advancements have resulted in consumer data being created, collected and stored within seconds. It is ever-more important to have clear laws and safeguards in place given the growing digital economy and associated cyber security risk.”
The importance of safeguarding personal data cannot be understated. The EU is making that clear to businesses with heavy financial penalties if they fail to comply with the regulation. Nicola Colleran is trying to help companies understand the risks they now face, she explains that, “Firstly, there is a significant financial risk. Fines for non-compliance are up to €20m or 4% of annual global turnover. These fines can be imposed from 25 May 2018. In addition, the people affected by the data breach can also sue the company. Secondly, there is the reputational risk of having a data breach, being fined for non-compliance and being seen as acting irresponsibly with personal data.”
There is more to data protection than just complying with GDPR, however. The new legislation is a turning point in attitudes. It is an opportunity to put European businesses at the forefront of data protection and a chance to build trust with customers. It is likely that other parts of the world will look to increase their data protection measures as a result of GDPR. For example, "the right to be forgotten" is one aspect of the GDPR that US and other citizens will likely be interested in.
Companies the world over need to assess how prepared they are for GDPR, Steven Snaith has been putting processes in place so he and his colleagues can be on hand. “Our specialists can help you to assess and prepared for compliance. Through robust analysis we will identify any risks and work with you to implement processes and systems to help you comply.”
Nicola Colleran is in a similar position to Steven and is part of the team developing products to test GDPR readiness. “We can help businesses by organising information sessions for employees, performing a privacy impact assessment, performing a gap analysis to determine what needs to be done to be compliant, designing and implementing breach management processes and advising on security monitoring and reporting.”
Data is king in the present day. It is a valuable resource and it is totally correct that the EU is taking big steps to protect it. Unfortunately, awareness is low and there are early warning signs that businesses will not be prepared. At RSM we urge you to take steps now to avoid being unprepared. It will certainly be cheaper to prepare now, rather than face the fines and reputational damage later.