Six Reasons Why You Should be Preparing for GDPR Today

It’s the law

On 25th May 2018 the European Union General Data Protection Regulation (GDPR) will come into effect. This will replace the current data protection laws in the EU including the UK’s 1998 Data Protection Act. When GDPR comes into effect the rules for processing personal data will become stricter and place a greater emphasis on being able to prove you are compliant. Furthermore, the fines for failure to follow the regulation can be up to the larger of €20 million or 4% of the organisation’s global annual turnover for serious breaches and up to €10 million or 2% of turnover; making the fine of £500,000 for a breach of the Data Protection Act seem like pocket change. Failure to prepare adequately may leave your business open to these fines.

Brexit will not stop it

Regardless of whether GDPR will apply specifically to your business once the UK leaves the EU, this will not have happened by May 2018 meaning that for the period between then and the date the UK formally leaves the EU, UK businesses will be bound by GDPR.

GDPR will also continue to apply to UK businesses offering services to EU citizens regardless of whether the processing takes place in the EU. Companies offering these services must ensure that the data of EU nationals continues to be stored and processed in accordance with GDPR and may find it more economical to ensure all processes are compliant instead of maintaining two parallel sets of processes.

If the UK chooses to join the European Free Trade association after Brexit it would continue to apply EU laws including GDPR. If it chooses a different ongoing relationship with the EU it would be free to apply its own laws. However, for these laws to be judged compatible with GDPR in the case of data transfers between the EU and the UK, they would have to be very similar to GDPR, meaning that even if the UK does introduce new data protection laws after Brexit, the requirements for your business will be much simpler to implement if you are already GDPR compliant.

Aside from compliance being a legal requirement that most businesses will not be able to avoid, there are several ways that a well-designed GDPR plan can boost the efficiency and productivity of your business.

You can save on data processing costs

A key feature of GDPR is that your lawful basis for processing data must be documented before you begin processing. This is so you can justify to the ICO why data was kept and/or processed in the event of an investigation. However, a well-maintained data register can help you to spot unnecessary or redundant data that is being processed or data that is being stored for longer than it needs to be, thus allowing you to reduce unnecessary data processing and save on the associated costs.

You can streamline your data processing activities

Under the current system, each EU country has its own set of data protection laws which may be at variance with each other. For companies which operate in multiple countries, this presents a headache in dealing with each of these laws separately and can lead to having different data processing processes in each country and storing data on multiple separate servers to comply with all of the different regulations.

Once GDPR is in force there will be a unified set of data protection requirements for the whole of the EU, allowing your business to maintain its processes when expanding into new markets and allowing businesses already operating in multiple EU countries to streamline and unify their processes. This will reduce your overall processing costs and allow more resources to be directed towards finding flaws and areas for improvement in your existing processes, reducing your chances of a breach.

You can avoid bad PR

While the maximum fines for a breach of GDPR sound damaging, most fines given for breaches will be much smaller. The larger risk for a company which does meet its data protection requirements is the reputational damage associated with a data breach. In 2016 TalkTalk was fined £400,000 for its failure to prevent the theft of the personal data of its customers. This is the largest fine ever given by the ICO but tiny in comparison the £35 million that TalkTalk estimates the breach cost them overall. This figure includes extra staff being brought on to investigate the breach but mostly comes from a drop-in share price and an exodus of customers. Even if they had been awarded the maximum fine under GDPR the reputational damage would have cost them more than the fine. By ensuring you are compliant with GDPR you will have made it much harder for breaches to occur, reducing the risk of bad PR associated with a breach.

Breaches will be easier to report

Companies operating in multiple EU countries will now be saved the trouble of having to report breaches to agencies in each country where laws stipulate breach notification. Under GDPR, companies will only need to report breaches to the relevant agency in any EU country and that agency will have the power to investigate throughout the EU and liaise with local authorities, saving you valuable time when investigating a breach.