As May 2018 steadily approaches, is your business preparing for GDPR?
The EU General Data Protection Regulation (GDPR) will officially become law on 25th May 2018, effectively replacing the current Data Protection Directive 95/46/EC.
Classed by the EU as the most important update to data privacy and regulation in twenty years, reception has been mixed; some see it as a welcome first step in pushing privacy and data regulation into the digital age, whereas others view it as a burden of more red tape and financial constraint due to the changes it will cost to accommodate the new regulations.
However you view GDPR, it is coming, and businesses need to be prepared!
The primary changes that GDPR will bring largely centre around the control an individual has over how and where their data is used – with the digital and real worlds now more connected than ever before, it’s easy to lose track of personal data and how it is being used. GDPR exists to bring more control to the individual, allowing them to manage the rights over their private data in a simplified and controlled manner.
With this will come more regulations for organisations, to ensure that personal data is both gathered and used in the right way. Conditions for consent have been changed, with options to withdraw simplified as well as the regulations around how terms and conditions must read. Consumers will now have expanded rights to access their personal data held by third-party companies, as well as the Right to be Forgotten (Data Erasure) process made much simpler.
Fines Under GDPR
The fines being introduced will be considered on a case by case basis where breaches have been reported, however, the maximum fine will be up to 4% of annual turnover or €20 million, whichever is greater.
As it currently stands, the Information Commissioner’s Office (ICO) can hand out fines of up to £500,000, so this increase of up to 40 times the amount (4000%) is a huge leap – if this doesn’t incentivise businesses to be prepared in advance of GDPR, then likely nothing will.
A Financial Burden
With the risk of being fined large amounts for data breaches, many businesses are trying to take all possible measures to become compliant, but many organisations say it’s a challenge – both technically and financially.
An good example of this is the tech sector – a recent piece in the Financial Times stated that the cost to this sector alone is in the millions, as products need redesigning to be compliant and new consultancy staff are hired purely to take on the challenges brought about by GDPR. Facebook as an example have stated that initial GDPR compliance will cost the organisation several million dollars, in addition to any ongoing costs. Facebook Ireland currently has a full-time data protection team in place to work on GDPR; the team has grown by 250% this year.
This cost may not seem a lot for Facebook, who reported earnings of $9.32 billion in quarter two this year, but for the smaller businesses, the cost of implementing GDPR may influence the viability of the business moving forward. Therefore, it’s unsurprising many see it as a burden?
On the flip side, others hold the opinion that GDPR is the best direction for data privacy laws to go in, and embrace its coming. As the new regulations will mean that consumers have more control of their data, this also means they will be able to more effectively choose which companies to trust with their information – so a company that earns consumer trust and gains a positive reputation through being GDPR compliant is more likely to win over consumers than one that does not.
Gaining this trust will then mean they can effectively develop their products and services to keep a consumer for longer by using their data effectively, within the law. The consumer, in theory, would prefer to continue to work with a company they feel takes their privacy seriously, rather than one that does not. Product services can be streamlined to make life easier for a consumer who trusts a business with their data, thus making upselling and longer retention a very real possibility.
This will create an advantage over competitors who will now have to comply and account for data usage as well as erase personal data should a consumer request so, or risk being fined large amounts for breaches or non-compliance of GDPR.
Where does your organisation stand on GDPR? With only 9 months left, are your preparations underway to ensure compliance?