New EU-wide laws on data protection will be introduced in May 2018 and every business must comply or face the consequences. The IoD’s Information and Advisory Service (IAS) explains how you should prepare
The recent data breach at Yahoo was said to have affected eight million internet users in the UK alone. But it’s not just multinationals that are coming under attack. Rob Cotton, CEO of leading British cyber security consultancy NCC Group, told business leaders at this year’s IoD Annual Convention: “Government statistics show that 65 per cent of organisations have already been breached,” adding that the average time it takes for a company to discover it has been breached is 120 days. Indeed, the violation of Yahoo occurred in 2014 and took two years to see the light of day.
What is GDPR?
The sheer amount of data traded between businesses across Europe continues to grow exponentially. In 2012, the European Commission announced the proposal of
“a comprehensive reform of the EU’s 1995 data protection rules to strengthen online privacy rights and boost Europe’s digital economy”. This, in turn, became known as General Data Protection Regulation (GDPR) and it will come into effect in May 2018. The key objectives of GDPR are:
• A harmonised pan-EU regulation, replacing the existing patchwork of myriad national regulations
• An improvement of the current system of binding corporate rules for a safe transfer of data outside the EU
• A regime allowing better control over an individual’s data
What if you fail to comply with GDPR?
Cotton revealed: “If you fail to look after data correctly, you will be liable for a fine of four per cent of your global turnover.” The maximum fine is £20m. He added: “That is a bit of a change from the Information Commissioner’s Office (ICO), who are able to levy fines of up to £500,000.” Only last month, the ICO imposed a record fine of £400,000 on TalkTalk following theft of personal data involving more than 150,000 UK customers.
Protecting a customer’s data is also about protecting the reputation of your business. As Cotton said: “If you are hacked, Semaphore [a supplier of data for the Office for National Statistics] recently produced a stat revealing that 86 per cent of customers will not return to a website if their credit card has been breached. We all expect now to be hacked: 65 per cent of us believe that next year we will be hacked. It is a fact.”
What should you do next?
May 2018 may seem like a long time away but there are several measures UK businesses must put in place including…
• Creating a continuity plan for data breaches
• Ensuring accountability for data breaches is understood by all your staff
• Ensuring you design privacy into your products and services
• Considering the legal basis of how you use personal data
• Checking you have appropriate privacy notices and policies
• Being prepared for subject data requests from anyone you hold personal information about
• Considering and agreeing who is responsible when data is transferred or processed
• Setting up a framework that ensures you have a legitimate reason for transferring personal data to countries with less stringent data protection rules
What about Brexit?
Theresa May wants the UK to leave the EU by the end of March 2019. After that date, the government may decide to stick with GDPR. Alternatively, new laws could be introduced that would cap fines as a way of tempting companies to operate in the UK. Regardless of Brexit, if you trade or interact with a European business covered by GDPR, you will still need to comply with it. For now, the best advice is to assume nothing and prepare for May 2018.
To find out more about the Information and Advisory Service, visit
Telephone 020 7451 3100