Richard Hough, partner at commercial law firm Brabners, says businesses would be wise to familiarise themselves with the GDPR.
In the biggest ever revision of EU data protection laws, the European Parliament has ratified the General Data Protection Regulation (GDPR), meaning that businesses now have until 25 May 2018 to comply with the new law.
A ‘Brexit’ will not save companies from the new measures if they are doing business with those inside the Union, nor those otherwise outside the Union doing business within, such as US companies.
The GDPR brings in stronger individual rights, tougher penalties for data breaches, and mandatory reporting of breaches.
The time for businesses to start getting ready is now. Penalties for non-compliance with the GDPR are high – up to 4 per cent of annual global turnover or up to €20million, whichever is greater.
The reporting requirements in the event of a data breach are stringent. Businesses will have 72 hours from awareness of a breach to report themselves to the national authority, which here is the ICO, and to inform those individuals affected.
That means within 72 hours of becoming aware, businesses will have to be able to pinpoint which data assets have been targeted and assess the risks concerned so they can accurately make the report and inform the client or consumer base of their exposure.
Failure to report a breach can attract a fine in addition to any fine for the breach itself, so measures to ensure ability to report within 72 hours should be developed and tested now.
Given the penalties for non-compliance, businesses would be wise to familiarise themselves with the GDPR, and start putting procedures and policies in place to ensure readiness.
A thorough data audit, including deletion of data no longer required to avoid any risk attached to it, is a good starting point.
Extending good data-hygiene by limiting access to data to only those who absolutely need it, and thorough training on keeping data secure are measures likely to help, given how many serious breaches are due to inadvertent human error.
The two year lead-in window should be taken advantage of, rather than being seen as an opportunity to ignore the GDPR until absolutely necessary.