A new and recent survey by the Institute of Directors (IoD) found that 4 in 10 businesses are not prepared for the changes being introduced by the General Data Protection Regulation (GDPR).
The findings resonate with research carried out by the Federation of Small Businesses (FSB) which said that over 90% of small UK businesses were not prepared for GDPR, even though the changes were less than three months away at the time.
As the IoD suggests, the findings perhaps reflect the scale of the new regulations, which affect the way data flows throughout every area of an organisation. From HR to marketing and IT to overall governance, the new laws are challenging businesses to rethink all processes relating to the collection, processing and handling of personal data.
The General Data Protection Regulation (GDPR) came into force in the UK on 25th May 2018, replacing the Data Protection Act 1998.
It strengthens and unifies data protection rights for all individuals within the European Union, aiming to give them more control over how their personal data is collected, used and stored.
Key changes include strengthening rules on consent and enhanced data subject rights including the right to be forgotten, right to access and data portability.
Breach notification is now mandatory and needs to be reported to the ICO within 72 hours. Affected individuals must then be informed “without undue delay”.
Privacy by design requires organisations to consider data protection when designing systems, whilst data minimisation reduces the amount of data that can be processed and kept to that which is necessary for the intended purpose. GDPR also limits access to those who need to complete the processing and some companies will need to appoint a Data Protection Officer (DPO) – but this does not apply to everyone.
Fines of up to 4% of global annual turnover or €20 million will be the new standard for those falling foul of the new rules. However, the Information Commissioner’s Office (ICO) maintains that these penalties will remain a last resort, yet they remain a key motivator for a vast number of businesses seeking GDPR compliance.
Is it too late to make a start?
If you still need to start your journey to GDPR compliance, don’t panic. It’s not too late to make a start. In fact, it’s much better to start taking steps now than to bury your head in the sand. Contrary to popular belief, GDPR will still apply to the UK after Brexit when the Data Protection Bill will translate the EU principles into British law so the sooner you address it, the better.
The ICO has produced an extensive set of guidelines on their website and its 12 steps to GDPR highlights key considerations and actions you can take straight away. A helpline is also available for those seeking further advice.
As well as being our Chief Technology Officer, Sam Reed is the Head of our specialist cyber security division, Air-Sec. A GDPR Certified Practitioner, he comments:
The ICO have suggested that if you’re compliant with the current Data Protection Act, then you should already be on your way to compliance under GDPR.
However, it does point out that new elements and enhancements will mean some things will need to be done differently, and for the first time so it’s important to assess your position and plug any gaps.
Chief Technology Officer
How we can help
There are a number of ways that we can help you with your GDPR preparations. Since it primarily relates to handling personal data, you’ll want to make sure your employees understand the new regulations and abide by them.
To help you overcome this challenge, we’re offering a comprehensive security awareness training tool, providing instant access to a suite of employee awareness courses. This includes a module on the key GDPR principles, so staff can brush up on their knowledge quickly and efficiently. Built-in reporting tools will allow you to check who has and who hasn’t completed the training and a simple test provides pass rates, so you can identify and address any weaknesses.
We can also assist with any policies that you may need, and longer-term we can perform an in-depth audit or gap analysis to ensure your business is able to address any shortfalls.
As a managed service provider, we’ll be more than happy to discuss how we can support your ongoing cyber security needs to protect data against unauthorised access and attack. Our award-winning backup and business continuity solutions will ensure that you can recover and restore business-critical systems if the worst should happen.
Need more help or advice?
If you need more information or advice on your ICT, then please do not hesitate to contact us on 0115 880 0044 and we will be more than happy to help.