Is your business GDPR ready? If not, you need to take action now or you could leave yourself open to enforcement that will damage both your reputation and your bank balance. New research by PwC warns that companies will face much tougher penalties when the new rules come into play in May 2018. And the UK is already one of the most active places in Europe for rigorous enforcement of the new regulation.
Already, the number of fines handed out for breaches of data privacy in the UK has almost doubled to £3.2m in the last year. Data privacy watchdog, the Information Commissioner’s Office (ICO), handed out 35 penalties last year, compared to 18 the year before, while the number of enforcement notices ordering greater compliance jumped from nine to 23. This includes a record £400,000 fine to TalkTalk over a security lapse that allowed a hacker to access customer data and a £130,000 fine to online pharmacy, Pharmacy 2U for selling details of more than 20,000 customers to marketing companies without their consent.
Right now, the ICO can only issue fines of up to £500,000. But, from next May it will be able to issue fines of up to 4% of global turnover, or €20m euros (£17.4m) – whichever is greater. So what exactly is the General Data Protection Regulation and what do you need to do to avoid falling foul of it?
In a nutshell, the GDPR shifts the goalposts for businesses as it represents a fundamental change to the risks associated with data protection and the consequences of a data breach. It will overhaul the relationship businesses have with personal data through a complex new set of consumer rights. It’s being introduced to meet the advanced requirements of the digital economy and will change the way you collect, store, process and protect the personal information of customers, clients and employees. Here at Transputec, we have already produced an online tool that will help to guide you through the GDPR maze.
If your business holds or processes personal data, you need to make sure your staff understand what constitutes a data breach and put an internal breach reporting procedure in place. The timescales for reporting a breach are tight so it’s crucial to have robust breach detection and investigation procedures in place. This is where a behavioural monitoring tool like ThreatSpike can help companies mitigate the potential for an insider data breach and also discover where one has already taken place.
If you’re hoping that the regulations will be watered down after the UK leaves the EU, PwC analyst, Stewart Room, an expert in global cybersecurity and data protection, maintains that this is unlikely. “UK organisations must use the remaining time to prepare for GDPR compliance before May next year,” he insists.
And it’s not just European companies that are concerned. The latest analysis from Veritas suggests that 86% of organisations worldwide believe that failure to adhere to GDPR could have a major negative impact on their business. In fact, nearly 20% said they fear that non-compliance could put them out of business.
Are you ready to respond to the new regulatory change? If not, it’s time to start acting now. At Transputec we have a multidisciplinary team of experts covering data protection, cyber security and risk management. Contact us today and we will be happy to identify the impact of the GDPR on your organisation and implement a robust privacy and data protection programme for your business.