In May 2018, the European Union's General Data Protection Regulation will come into force, changing the way many businesses operate. Here we take a look at what it means for UK companies.
As of next year, businesses will have to re-assess the way look after personal data, with the European Union’s (EU) General Data Protection Regulation (GDPR) coming into effect in May.
Companies must be aware that a failure to comply with this new legislation could see them bearing the brunt of big fines that will ultimately damage profits. Instead of waiting until next year to work out how your company will cope with the changes, the government is urging businesses to prepare to avoid them losing out or even going bankrupt.
The new regulation will govern how organisations and businesses handle and protect customers’ and users’ personal data, meaning that they must:
The legislation will build on the UK's Data Protection Act by ordering businesses that fall victim to a cyber-attack, to report the breach of data within 72 hours.
The Act has also extended the meaning of what personal data is so that it now includes categories such as a computer’s IP address, for example, and anything that could potentially be used to identify a person.
A customer can also withdraw consent from an organisation or company whenever they feel necessary, while also having the ability to see the personal data that a business holds on them under what is called a ‘subject access request’, which is free of charge. Users can demand this data is deleted under the right for it to be forgotten.
It is crucial that the new legislation is a consideration for businesses as non-compliance could land them in serious trouble in the form of fines of four per cent of global turnover or 30 million euros - whichever option is greater. If the GDPR affects large companies, fines could stack up in the billions and essentially put organisations out of business.
Electronic financial transaction specialist Consult Hyperion predicts that in the first three years of the law coming into place, EU financial institutions could be faced with fines amounting to 4.7 billion euros (£4.1 billion).
A spokesperson for the UK's Information Commissioner's Office (ICO) commented: "The new law equals bigger fines for getting it wrong but it's important to recognise the business benefits of getting data protection right.
"There is a real opportunity for organisations to present themselves on the basis of how they respect the privacy of individuals - and gain a competitive edge.”