In just under a year’s time the largest overhaul of data protection laws will come into effect - with it having massive consequences for many businesses.
Yet despite the introduction of the General Data Protection Regulation (GDPR) on 25 May 2018, many businesses have not taken any steps to meet the new legislation while others are not even aware of it, even though it demands 100 per cent compliance, according to Blanchards Bailey.
The solicitors firm believes businesses that do not comply are running the risk of receiving lofty fines - up to €20million or four percent of a company’s worldwide turnover, whichever is higher - loss of consumer and supply chain confidence, as well as significant damage to reputations. The need for businesses to ensure they have robust policies, procedures and processes in place has never been greater.
To put it into perspective, if Tesco - which last year suffered a data breach affecting 40,000 customers - were to have been hit with the maximum penalty, it would have been landed with a staggering fine of £14.9million.
Research by the UK’s Ministry of Justice estimated it could cost as much as £320million for UK businesses to comply with the new regulation. A report by the Information Commissioner’s Office (ICO) also laid bare the huge implications for small to medium-sized businesses that use direct marketing - with estimates it will cost them an extra £76,000 a year, while training marketing staff is likely to be over £7,500.
The new GDPR will impact on any business in the world that deals with the personal data of EU citizens. It has been nearly two decades since the UK’s data protection laws were last updated - via the Data Protection Act 1998. That legislation was introduced to bring UK law into line with the EU’s Data Protection Directive, which was introduced in 1995.
Since 1998, the world has seen an explosion of digital services and internet devices, the birth of online retail and mobile phones transforming into miniature computers. This has led to the emergence and cultivation of new industries based on the use of personal data and the recording of commercially sensitive data.
“The GDPR will impact on many businesses as data processing covers anything that concerns the use of data,” Paul Dunlop, Principal and Head of Litigation and Disputes at Blanchards Bailey, said: “It is a broad subject but essentially GDPR will apply where a business processes data, i.e. receiving, retaining and/or giving it to somebody.
“When the law comes in next year businesses dealing with data will have to do a lot more to ensure they comply with GDPR, especially those that are customer-facing,” Paul continued. “Many will have to update customer consent agreements and adapt their terms and conditions, which is likely to be time consuming and complex. If companies do not fulfil their requirements of the GDPR then they will face potentially large fines and possibly negative media coverage and unusable data.”
Key changes businesses need to be aware of under the GDPR include; having to give requests for consent in clear language, inform people whether their personal data is being used upon request, and report any breaches within 72 hours.
To comply with the new GDPR businesses should review their privacy policies and consent requests, as well as their procedures and contracts. Other considerations include updating your data security breach plan and auditing international transfers to make sure you are allowed to transfer data.
For more information visit www.blanchardsbailey.co.uk
If you would like to discuss how Carswell Gould could help, our team of experts are keen to chat. Fill in your details below and we'll be in touch shortly.
