The EU’s General Data Protection Regulation (‘the GDPR’) comes into effect on 25 May 2018. This means that the clock is ticking and that organisations have limited time to prepare to comply with the new data protection regime and stricter requirements for processing personal data.
Although, the new regime has been headlined as an evolution rather than a revolution, there will be some significant changes from the previous data protection regime. For example, reporting of data breaches to the ICO (Information Commissioner’s Office) will become mandatory after 25 May 2018, whereas under the current Data Protection Act it is only a recommendation.
From May 2018, the ICO’s enforcement powers will include powers to ban or suspend data processing, potentially at great cost and inconvenience. The ICO will have the power to issue increased fines of up £17 million or 4% of global turnover, whichever is the higher. Currently, fines are capped at £500,000.
Individuals’ rights will also be bolstered by reform, with individuals being able to bring civil claims, either alone or as part of a class action, for failure to comply with data protection principles. Historically, individuals could not bring standalone claims for distress or hurt feelings and so claims were rare – this is likely to change from May 2018.
Organisations with measures already in place to manage their data processing activities will be in a strong position to adapt their existing procedures to the new regime. However, organisations which have not previously prioritised data protection compliance may be vulnerable to complaints and enforcement action by the ICO.
One of the key features of the new regime is the requirement for organisations, not only to comply with data protection principles, but to be able to demonstrate their compliance through the adoption of internal governance measures, appropriate records, documentation, policies and procedures. These new requirements aimed at improving accountability and transparency are a major challenge for smaller businesses with limited resources.
Armstrong Watson’s recent survey of family owned businesses highlights a concern that 46% of respondents are only thinking about the GDPR or partially prepared and a staggering 36% of respondents have never heard of the GDPR at all. For some sectors the level of readiness is particularly concerning. It is inevitable that Professional Services firms and Retail and Hospitality businesses will be processing personal data and marketing their businesses to consumers yet 65% of Professional Services firms are not fully prepared and a worrying 43% of Retail and Hospitality businesses have never even heard of the GDPR!
These organisations should now take urgent steps towards compliance. There are in any event significant commercial and reputational advantages to ensuring that business data and information assets are protected and well managed.
Like it or not, Brexit or not, the GDPR will come into force in May this year. The 13% of organisations that consider the new regime not to apply to their business are mistaken. The new regime is here to stay – it is a long overdue response to increased use of technology and personal data and a the need to protect consumers, employees and their privacy. The ICO acknowledges that organisations, especially small businesses, will take some time to transition to a new regime but with the May deadline looming businesses should not delay preparation further.
Guest article written by Myerson Solicitors. Please visit their website for more details www.myerson.co.uk
If you are looking for strategic business and would like to talk to one of our team, please email Nick Palmer or call him on 07765 229901.
