By May next year, all UK businesses will have to ensure they are GDPR compliant. In layman's terms, customer data will soon have to be handled with kid gloves.
Not even the smallest companies are exempt from this new piece of EU legislation, which comes after two decades of varying interpretations of the existing data protection rules have left privacy laws between EU countries inconsistent.
The increasing sophistication of cyber crime, and soaring incidences of information security breaches, leaves most in agreement that the existing data protection directive is no longer fit for purpose.
British businesses with half an eye open will either have been on the receiving end of the scaremongering, or been pitched the services of GDPR experts and data protection officers, that vary wildly in quality.
Here are four things all – including the smallest – businesses need to know about GDPR, ahead of the deadline of 25 May:
1. The scaremongering is justified. All UK businesses that hold data or buy data lists – however small, and irrespective of Brexit – will have to comply with this new regulation by the deadline. Those who don’t risk a fine worth 4% fine of gross annual turnover, and run the gauntlet of negative PR and nosediving customer confidence, in the wake of a data breach. The widely bandied theory that GDPR is the next Millennium Bug – i.e. nothing but a storm in a teacup – isn't an applicable analogy, because this is about taking steps to diminish risks to personal data now and in future (not something that might happen at midnight).
2. Brexit won’t save you. It’s almost a given the UK will adopt GDPR, even with our planned exit from the EU. And, with the May 2018 deadline well ahead of a rumoured departure date, businesses should prepare regardless.
3. It’s good for business as well as customers. Data privacy is treated as a basic human right under GDPR, meaning customers can have more faith in the many businesses they entrust their data with. Cyber crime is a very real scourge and, although compliance is undoubtedly an administrative pain for businesses, the benefits far outweigh the hassle. GDPR will force companies to look more closely at their information security strategy and consider the new impact of a catastrophic loss of data. Meeting ISO 27001 – the new information security standard – will demonstrate to customers and stakeholders their information security policy is robust and fit for purpose.
4. This isn’t a one-off task, it’s an ongoing commitment. Of course, companies must first assess the state of play to ascertain if they are already compliant, and lay the foundations for the prevention of security breaches using recommended techniques such as encryption, anonymisation and pseudonymisation. But, the possibility of a data breach can never be completely eliminated, even with preventative security measures in place. The GDPR recommends monitoring and alerting to detect such breaches. This is why the job is never done.
Kavitha Muniandy is European manager at IT outsourcing provider Soitron UK