What is it?
GDPR – General Data Protection Regulation – is an EU regulation that applies automatically to all UK businesses and those companies must be GDPR-compliant by 25th May 2018. And, no, Brexit won’t stop their implementation.
The drivers behind setting up a more robust data protection environment are found in the increasing misuse of personal data that has come with the digital age we now inhabit.
Just at a personal level think about your own frustration with nuisance calls (PPI, accident, IT problems. etc) or the capture and passing on of your personal details from Facebook, DVLA and Google, for example.
Very few businesses will not be affected by GDPR. And we know that May next year sounds a long way out, but consider this: any commercial contract which has a data protection angle and which will be in force after 25th May next needs to be GDPR-compliant NOW.
A quick summary:
- A requirement to have a Data Protection Officer
- Much tighter rules on consent and precisely what the data subject needs to be told
- More rights for data subjects, including the right to be forgotten and portability
- Far stricter rules about notifying data breaches.
- Far greater responsibilities for data processors.
- And probably the biggest issue for controllers and processors – the potential for very large fines.
Everyone knows about this, right?
Well, er, no actually! You may be wondering what the pictures we have chosen could possibly have to do with GDPR … assuming you are in the 20% of business people who claim to be in the know.
The images have been chosen in response to a comment from the CEO of an alliance of accountancy practices telling us about their perception and approach towards the impending application of GDPR on their clients and business in general.
The financial impact of a breach could be as high as €20 million. That alone should provide some focussing of minds. We think that this would be quite high on most business’ agendas and that accountancy practices should at the very least be discussing/advising their clients on the risks and how to mitigate.
His response: “Our practices are fully aware and prepared for GDPR which we consider is like a slow-moving train in the distance”.
Now, what if what appears to be a slow-moving train is actually a high speed intercity 125 and by the time you realise the implications it is too late to react?
Tectona have spoken to a lot of people about GDPR and it seems that the trusty 80/20 rule applies. 80% can’t even see a train so are in no position to assess either the risk or the opportunity. The remaining 20% who can see the train seem to be simply kicking GDPR into the long grass or, worse still, are worryingly complacent.
What started out as the potential benefits of using computing to automate activities has reached a point where it is now almost impossible to know who holds any data about us, how it is used and by whom.
That is essentially what GDPR is aiming to change. Individuals will be able to invoke the ‘right to be forgotten’, to insist on opting-in for communications – and to complain if that is not carried out.
For companies who operate with the right culture, policies and processes GDPR shouldn’t be a big issue; but it still does require assessment and action.
(Clearly those who have malicious intent will lay themselves open to punishment in the form of significant fines).
Your choice is clear.
Either you take positive action to clean up random data, keep it safe and use it to add value to your customers and prospects – legally.
Or you bury you head in the sand and hope this thing called GDPR passes you by (and probably hope that this is all bluster and no-one is going to enforce it anyhow).
So that begs the question: what am I going to do? The sensible person will crave more information to fully understand the implications and risks.
And what better way of doing this than meet up with someone who will talk you through what it means for you and for your business?