Tough data protection regulations start a year today

Posted on May 25th, 2017

With a year to go until the General Data Protection Regulation become law, British Chambers of Commerce are urging businesses to start preparing to ensure they are compliant with the legislation when it comes into force.

From 25 May 2018, all businesses that hold personal data will have to guarantee their procedures are fit for purpose and compliant with the new regulation.

While the GDPR is an EU-initiative, the UK Government has already made clear that the legislation will be part of British law post-Brexit.

Businesses that are found to be non-compliant risk potential fines of up to €20m or four per cent of annual worldwide turnover, considerably higher than fines under current data protection regulations.

East Midlands Chamber is one of the 52 BCC-accredited Chambers of Commerce around the country to urge its members to start now to take the necessary preparations to ensure they are ready for the regulation.

Steps for businesses to take include:

  • Document what personal data the company holds, where it came from and who it is shared with. Firms may want to consider organising an information audit or speaking to a data expert

  • Review current privacy notices and plan for any necessary changes needed before the implementation deadline

  • Check procedures to ensure that they cover all the rights individuals have under the new rules, including how to delete personal data or provide data electronically if needed

  • Review how the company seeks, obtains and records consent from individuals, and whether any changes are necessary

  • Ensure the right procedures are in place to detect, report and investigate a personal data breach, and

  • Determine whether a Data Protection Officer is required, and designate one if so, to take responsibility for data protection compliance and assess how the role will sit within the organisation.
  • For more steps on preparing for the General Data Protection Regulation, businesses should revert to the Information Commissioner’s Office checklist.

    David Riches, Executive Director at the British Chambers of Commerce (BCC), said: “Businesses need to be proactive about ensuring they are ready for the new data protection regulations when they come into force this time next year, and not leave preparations until the eleventh hour. Those firms that don’t fulfil the necessary responsibilities leave themselves vulnerable to tough penalties, not to mention public scrutiny.

    “With twelve months to go, there are a number of procedures businesses should be reviewing to determine what changes may need to be introduced to be compliant. Businesses that are already vigilant about their data protection responsibilities won’t be unduly burdened by the new legislation.

    “The General Data Protection Regulation is intended to reflect modern working practices in the digital age, and will strengthen consumer trust and confidence in businesses. It will establish a single set of rules across Europe, which will make it simpler and cheaper for UK companies to do business across the continent, even after we leave the EU.”

    Andy Watterson, the East Midlands Chamber’s lead on cyber crime, said: “ The way businesses handled data back in 1998, when the existing data protection regulations were introduced, is very different from the way we handle data today. In the modern digital world we handle far more data, in many different ways, and we also move data across international borders more than we used to.

    "This legislation isn't being introduced for the sake of it, it reflects how we handle data. If we want to do business with other countries then our data protection regulation has to match theirs. Business should use this as an opportunity to review how they handle data to make they do it in the most secure way.

    "Data breaches and other cyber attacks are not going to diminish, as the recent wannacry ransomware attack has shown. If anything, they will get bigger and more frequent as the hackers get more and more clever and the amount of data gathered by organisations of all sizes continues to increase.

    “The Government has already said that all existing EU regulations will be subsumed into UK law when we leave the EU so the punitive elements of the General Data Protection Regulations are not going to go away. It is essential organisations can prove they took every precaution possible to protect client data if they need to mitigate a punishment calculated on four per cent of global turnover – that’s turnover, not profit.”