What does GDPR mean for UK businesses?Sinead Haycox
GDPR (General Data Protection Regulation) is coming, that much is unquestionably true. Despite the UK’s Brexit-esque future, for businesses around the country GDPR compliance is not an option. And be warned, there are steep penalties for ignoring the required legislation.
The new GDPR aims to bring consistency to European-wide data protection laws, and safe-guard consumer data in this age of constant connectivity and social media. But what does this mean for businesses in the UK?
Comply, or risk a serious fine
Non-compliance within the GDPR will lead to a large fine, which is split into two tiers dependent on the data involved. Any business that breaches the new regulation laws, and puts highly sensitive data at risk, will lose 4% of the previous year’s global turnover, or €20 million – whichever is higher. These are Tier 1.
Tier 2 is regarding data deemed less serious by authorities, but these companies will still be hit with a fine of €10 million or 2% of the previous year’s global turnover. That’s per incident, more than enough to have a serious impact on most small to medium enterprises. And they mean huge fines for the likes of Facebook and Google.
Is being unprepared worth it? We’re guessing not.
It’s important to note that the changes in legislation will shield a business’ reputation in the long run, by protecting customer’s data and making it more difficult for hackers to obtain information through a security breach.
How does this differ from the Data Protection Act?
The UK’s Data Protection Act was brought into effect in 1998 and has long required an update that considers the technological advancements of the last 20 years. That’s where GDPR comes in.
GDPR introduces similar but more stringent rules to the DPA, with several key legislative changes such as –
- Be aware of your data’s location
GDPR demands a record of all data operations business-wide, and regular privacy impact assessments (PIAs). Basic education of data processing agreements regarding the collection of personal data may be required to ensure that staff are aware of the new regulations.
- Obey the customer’s right to be forgotten
Individuals have the right to demand deletion of all personal data held by a company, and data controllers must comply with this “without undue delay”. If the data is no longer needed or the processing was deemed unlawful, the businesses could be accused of misusing personal data, which would lead to a fine of the highest level.
- Demonstrate consent
For a business to obtain their data, a customer must freely give “explicit consent”. After GDPR, consent for data usage can be withdrawn at any time, to help reassure consumers that their personal details are safe, and not held by anyone unscrupulous. And although the process is easily granted, it is just as easy to withdraw.
- Changes to data breach notifications
Any business that suffers a data breach has a duty to immediately (within 72 hours) notify the relevant supervisory authority. If the breach is of significant public interest, the data controller must be informed without undue delay.
What does this mean for tech and finance professionals?
For any business that operates with EU customer data, it’s big changes all round after GDPR. Take Ireland.
The Emerald Isle has long attracted US and other multinational conglomerates such as Google and Apple, in part because of their low rates of corporate tax, but also because the country has relatively permissive data protection laws. This is all about to change after GDPR. Will this lead to companies leaving Europe for the richer pastures of data tolerant, non-EU companies? Parts of Asia or MENA, for example? It’s not likely.
The new regulation states that even if your business is not in the EU, if you handle the data of EU residents then you must work within the constraints of GDPR.
A company that deals with any form of payroll or customer data will need to seriously consider their data management, and that includes the location of, accessibility and audibility of all information held on individuals – so it can be immediately deleted if the customer requests so.
Therefore, simple reconciliation of data across all platforms is essential. For a business to be truly GDPR compliant, data attributes must be easily retrievable and universally synced across all business systems, such as a CRM or ERP.
Bad for the brand
Non-complying businesses not only end up with record-level fines, but the negative PR will mean they risk losing digital relationships with trusted, potentially life-long partners and clients. That’s why it’s essential for all EU companies to embrace data protection and transparency, putting the people back in control of their own data. The choices businesses make about their data usage reflects on their brand’s core values, and once destroyed, that’s something that no amount of money can resolve.
Kryptonite for a brand’s reputation; data breaches are rightly a concern for many. We live in a world where data is valuable, and millions of worldwide businesses decisions are made daily, simply because of the available data. Hackers keep on getting smarter, and the data keeps on growing. That’s one thing that GDPR aims to tackle, with the addition of tangible, clear-cut regulations and consistent laws throughout the EU.
Any company that deals with payroll or customer data will need to consider data management, and that includes the location of, accessibility and audibility of all information held on individuals. Non-compliance is not a feasible option, so it’s something that businesses need to consider now, for implementation in 2018.
Some people think that Brexit will save them from the upcoming data protection changes, but that is incredibly naïve. GDPR cannot be stopped, and it’s a bad idea to ignore it. The UK was heavily involved in the creation of the legislation, and the overall regulations aim to make the industry better, protecting both businesses and customers. It is highly unlikely that even after Brexit, the regulations will be disregarded.
Despite this, a recent survey of UK-based IT professionals revealed that 44% of them do not believe that GDPR will apply after Brexit.
Any company that decides to disregard GDPR is making a big mistake. UK surveillance laws are in the process of introducing one of the biggest changes to data protection in our country’s history, whether businesses like it or not. It’s essential to start now and avoid a large fine from 25th May 2018.
How can we help?
We can support you during the GDPR transition, and advise on the best business practices.
AccessPay can assist your business with –
- A payments platform that integrates with almost any back-office system
- Robust approval and workflow tools that ensure data can only be accessed by those with the right permission levels
- Data screening, to prevent misuse of key data elements
Download our GDPR Checklist to make sure your business is prepared for the regulations.