In a few short months, General Data Protection Regulation (GDPR) comes into force in a change, which will hugely affect businesses of all sizes. It is a development that cannot be underestimated and in helping businesses work towards the changes, I see the enormity of the challenge. I would advise all businesses to start planning now, if you haven’t already done so, and take timely action to do all you can to make the transition easier.
GDPR requires far more than just lip service – companies need to change the way they operate and manage risk, to ensure they stick to the new rules. GDPR goes beyond just the good principles of data production. It requires companies to make data protection by design and by default – which means that data protection considerations must be taken into account when designing any new system, process, service etc.
It is easy to think of GDPR as a compliance headache, but it’s not. In fact, a more helpful approach may be to realise the regulation is also a form of insurance for companies. It provides guidelines and standards for businesses to face a world full of threats as cybercrimes reach epidemic levels.
Not being ready really isn’t an option due to the truly jaw dropping repercussions of non-compliance. Companies in breach of the regulation will face huge fines, which for certain infringements could be up to €20m or four percent of total global revenue, whichever is greater.
For smaller suppliers it could be even worse, as commercial contracts are being updated to make suppliers liable for the losses and GDPR penalties suffered by large companies, arising from the negligence or misconduct of the suppliers.
To avoid such fines and losses, companies need to think seriously about their systems and procedures, and even more so about their people and compliance culture. Many businesses will need to evaluate if their hardware, software and procedures are fit for the purpose of ensuring information security over the entire cycle from collection, retention, storage/retrieval to destruction.
However, the systems and procedure are ineffective without better staff training on the importance of the news procedures and what part each individual employee is expected to play in the company’s compliance with the new procedures. This training doesn’t have to be expensive, and can be very accessible through a variety of e-learning courses, assessments and games that are available to engage and educate staff.
GDPR is not a transient issue that will go away anytime soon. All companies regardless of their views will need take steps to comply. With a measured approach starting now, companies can ensure that they are ready for May’s introduction with minimum fuss.