The EU General Data Protection Regulation (GDPR) – a new Europe-wide data protection law that will supersede national laws such as the UK Data Protection Act (DPA) – will affect every organisation that processes EU citizens’ personally identifiable information (PII) when it comes into force in just two years.
GDPR and Brexit
The Regulation is concerned with who data relates to, not where it’s processed or who collects it. So, even if the UK votes to leave the EU in June, every UK company that wants to continue doing business in the EU will still have to comply.
Lack of GDPR preparation
The Regulation has taken around four years to steer a somewhat turbulent course through various debates, discussions and ‘trilogue’ meetings to become law, but despite this rather lengthy legislative process, its ultimate aim has always been clear: organisations must better protect the data they gather, process and store.
Despite this apparently obvious fact, corporate preparedness for the new requirements still seems to be poor:
- A 2014 survey by Trend Micro (Understanding the journey towards EU General Data Protection Regulation – A survey report exploring EU awareness of new data protection legislation) found that 85% of British respondents “believe their organisation faces significant challenges in order to comply with the EU Data Protection Regulation”.
- A 2015 survey by FireEye (Mixed State of Readiness For Cybersecurity Regulations in Europe) found that only 60% of UK organisations understood their forthcoming obligations.
- A 2016 survey by Blancco (EU GDPR: A Corporate Dilemma) found that only 23% of respondents were prepared for the GDPR. (You can read our interview about the GDPR with Blancco’s CEO, Pat Clawson, here.)
Time has now run out: now that the GDPR has been formally approved, organisations have only two years in which to bring themselves to a state of compliance.
The DPA prescribes fines of up to £500,000 – a hit that many businesses can take, even if they obviously don’t want to. The GDPR, however, stipulates significantly greater penalties for non-compliance: breached firms can face fines of 4% of annual turnover (not profit) or €20 million – whichever is higher.
In stark terms: businesses actually going bust if/when they suffer a data breach is now a very real risk.
EU GDPR audit
The publication of the GDPR in the Official Journal of the European Union today means you’ve got until May 2018 to comply with the Regulation’s requirements, or potentially face heavy penalties. If you haven’t done so already, you need to start your change programmes now.
All organisations should have a clear idea of the personal information they hold, including where it originated from and who it can be shared with.
Certified EU GDPR Foundation training course
And if you need to learn about the GDPR’s requirements, how they’ll affect your organisation, and how you can achieve full compliance with the Regulation, you’ll be interested in our one-day GDPR Foundation training course.
EU General Data Protection Regulation Documentation Toolkit
Pre-order the EU GDPR Documentation Toolkit and receive all the critical documents your organisation needs to ensure compliance with the new Regulation, including documents covering Data Protection Policy, DPO requirements, Privacy Impact Assessments, Incident Response and Breach Reporting.
Alternatively, call +44 (0)845 070 1750 today.