The seismic impact of the GDPR on your business

south_west_cyber_security_cluster_11

What is GDPR

According to recent polls, less than 43% of businesses have even heard of the GDPR, so let’s start with what it is.  GDPR stands for the General Data Protection Regulation.  It’s a complete replacement of the DPA (Data Protection Act) and it brings in a whole new set of accountability requirements on your business if you process any personal data of any EU citizen.

How will this impact my business?

The first reason its important to understand now is that it brings in new mega-fines for non-compliance to a set of much more rigorous rules; €20m or 4% of your global turnover, whichever is the greater!  Secondly its EU law now!  It will brought into UK national law in Q2 2017 and those fines for non-compliance will be executed starting May 2018, so there is really limited time to prepare your business.

For most businesses there are two key areas to focus on; first, a shift to “unambiguous” consent to process someone’s personal data. While its yet to be legally tested to understand what this will mean, what is clear is that the catch-all terms and conditions will be less valid and for different processing purposes you may need separate consent.

The GDPR brings in accountability requirements that mean you will need to show you have gained explicit opt-in consent and have an auditable trail of validation!  Expect a lot of companies to start re-validating consent in their databases! Secondly, if you build products or services you will now need to demonstrate you went through a PIA (Privacy Impact Assessment) and sought to build your product/service Private-by-Design. Both these requirements will mean you will have to show you have considered and implemented industry-standard security techniques. How retrospective this will be is yet to be determined, but remember the GDPR is EU law now.

There are many many more new requirements on business, and SWCSC will provide future events to help educate you and your business on new responsibilities … and no, Brexit will have no or limited impact on the need to be GDPR compliant.

 

geoff_revell_south_west_cyber_security_clusterGeoff Revill is a member of the steering group of the South West Cyber Security Cluster and CEO of Krowdthink Ltd.