Get free updates - subscribe to our monthly newsletter Subscribe
The EU’s General Data Protection Regulation (‘the GDPR’) comes into effect on 25 May 2018. This means that the clock is ticking and that organisations have limited time to prepare to comply with the new data protection regime and stricter requirements for processing personal data.
Although, the new regime has been headlined as an evolution rather than a revolution, there will be some significant changes from the previous data protection regime. For example, reporting of data breaches to the ICO (Information Commissioner’s Office) will become mandatory after 25 May 2018, whereas under the current Data Protection Act it is only a recommendation.
From May 2018, the ICO’s enforcement powers will include powers to ban or suspend data processing, potentially at great cost and inconvenience. The ICO will have the power to issue increased fines of up £17 million or 4% of global turnover, whichever is the higher. Currently, fines are capped at £500,000.
Individuals’ rights will also be bolstered by reform, with individuals being able to bring civil claims, either alone or as part of a class action, for failure to comply with data protection principles. Historically, individuals could not bring standalone claims for distress or hurt feelings and so claims were rare – this is likely to change from May 2018.
Organisations with measures already in place to manage their data processing activities will be in a strong position to adapt their existing procedures to the new regime. However, organisations which have not previously prioritised data protection compliance may be vulnerable to complaints and enforcement action by the ICO.
One of the key features of the new regime is the requirement for organisations, not only to comply with data protection principles, but to be able to demonstrate their compliance through the adoption of internal governance measures, appropriate records, documentation, policies and procedures. These new requirements aimed at improving accountability and transparency are a major challenge for smaller businesses with limited resources.
Armstrong Watson’s recent survey of family owned businesses highlights a concern that 46% of respondents are only thinking about the GDPR or partially prepared and a staggering 36% of respondents have never heard of the GDPR at all. For some sectors the level of readiness is particularly concerning. It is inevitable that Professional Services firms and Retail and Hospitality businesses will be processing personal data and marketing their businesses to consumers yet 65% of Professional Services firms are not fully prepared and a worrying 43% of Retail and Hospitality businesses have never even heard of the GDPR!
These organisations should now take urgent steps towards compliance. There are in any event significant commercial and reputational advantages to ensuring that business data and information assets are protected and well managed.
Like it or not, Brexit or not, the GDPR will come into force in May this year. The 13% of organisations that consider the new regime not to apply to their business are mistaken. The new regime is here to stay – it is a long overdue response to increased use of technology and personal data and a the need to protect consumers, employees and their privacy. The ICO acknowledges that organisations, especially small businesses, will take some time to transition to a new regime but with the May deadline looming businesses should not delay preparation further.
Guest article written by Myerson Solicitors. Please visit their website for more details www.myerson.co.uk
If you are looking for strategic business and would like to talk to one of our team, please email Nick Palmer or call him on 07765 229901.Contact Nick
If you like this article and would like our FREE updates sent straight to your inbox then subscribe to our monthly newsletterSubscribe
All content © 2015 Armstrong Watson. All Rights Reserved. Website by Simon Pighills.
Armstrong Watson LLP is a limited liability partnership registered in England and Wales, number OC415608. The registered office is 15 Victoria Place, Carlisle, CA1 1EW where a list of members is kept. Armstrong Watson LLP is regulated by the Institute of Chartered Accountants in England and Wales for a range of investment business activities. Unless otherwise indicated, either expressly or by the context, we use the word “partner” to describe a member of Armstrong Watson LLP or an employee of Armstrong Watson LLP in their capacity as such.
Armstrong Watson Audit Limited is registered to carry on audit work in the UK and Ireland by the Institute of Chartered Accountants in England and Wales. Registered as a limited company in England and Wales, number 8800970. The registered office is 15 Victoria Place, Carlisle, CA1 1EW.
Armstrong Watson Financial Planning Limited is authorised and regulated by the Financial Conduct Authority. Firm reference number 542122. Registered as a limited company in England and Wales, number 7208672. The registered office is 15 Victoria Place, Carlisle, CA1 1EW. Armstrong Watson Financial Planning & Wealth Management is a trading style of Armstrong Watson Financial Planning Limited.
Armstrong Watson Trustees Limited is a limited company registered in England and Wales, number 84495656. The registered office is 15 Victoria Place, Carlisle, CA1 1EW.