The warning comes from financial and business advisers Grant Thornton, who say that employers putting themselves at risk of heavy fines.
From May 25 2018, all organisations processing personal data of individuals in the UK or EU will need to meet the new General Data Protection Regulation which has been introduced to give people greater control over their personal data and how it is used.
Any organisation found to contravene the new regulations after the May 2018 deadline could be subject to a financial penalty. The level of fine will depend on the nature of the infringement but for larger businesses it could be as much as four percent of global turnover or €20 million – whichever is higher.
The EU allowed a two-year transition period for businesses to comply with the GDPR.
Encouragingly, nearly 90% of local senior managers questioned in the recent poll are aware of the upcoming legislation and over 80% of businesses have begun to take steps to prepare for the new laws.
Fiona Baldwin pictured, Grant Thornton’s practice leader in Milton Keynes and Northampton, says: “The new GDPR regulations have far-reaching implications for all organisations who hold personal data of EU citizens and, with the introduction date fast approaching, it is concerning that the vast majority of local businesses have no plans in the event of a data breach.
“Over the last 20 years, the Data Protection Act has been the foundation for protecting privacy in the UK. However, this pre-dated social media, cloud computing and geolocation services and the laws needed updating to address modern privacy concerns.
“The new GDPR aims to do just that by increasing organisations’ accountability for all aspects of data protection from the collation of personal data to its disposal. It is vital for businesses to ensure they are up to speed with the new legislation requirements and ready to comply by May 2018 or they could face a hefty fine – and damage to their reputation.”
Among the legal requirements outlined by the GDPR, organisations will need to:
- Be able to prove clear, freely given consent from every individual to process their data. Silence or inactivity no longer constitutes consent.
- Many organisations, including local authorities, schools and companies who monitor individuals on a consistent and large scale, will be required to appoint an appropriately experienced, independent data protection officer. They cannot hold a conflicting role such as CEO, CFO or head of IT.
- Conduct Privacy Impact Assessments to identify where privacy breach risks are high, particularly with new projects.
- Report significant data breaches to regulators within 72 hours.
- Observe ‘the right to be forgotten’, in all procedures. Organisations should not hold data longer than absolutely necessary or use data for a different purpose other than it was originally collected for.
- Design data protection into all new business processes and systems.
Following Brexit, organisations in the UK that process data of individuals in the EU will still need to be compliant with the GDPR. It is also anticipated that UK data protection laws will remain broadly in line with the GDPR.
“All organisations need to fully understand how the GDPR affects them,” says Fiona. “This includes assessing current processes and establishing which business areas will be impacted and how. It’s good to see the vast majority of local firms have at least taken the first steps towards this.”
By May 2018 every business should be able to evidence that they are GDPR-ready for both internal audit and regulators, Fiona adds.
They must be able to show that risks to personal data have been understood and embedded in the organisation; that they have new or updated, fully operational data protection policies, procedures and controls in place and can produce governance documentation for inspection.
“All this requires business-wide awareness and what may be a steep learning curve for many management teams, so professional advice can be prove invaluable. With personal privacy high on the public agenda – and rightly so – it’s just not worth the financial or reputational risk of leaving anything to chance.”