GDPR - 1 year to go
In exactly 12 months time the General Data Protection Regulation will come into force. It brings with it the biggest change to data protection law in 20 years.
All businesses will be affected by this change, regardless of size, sector or turnover. If you haven’t started thinking about what changes your business needs to make in order to comply with the GDPR, you must do so now. We believe that it will take the average business in the region of 12 to 15 months to ensure that it is properly compliant.
Here are some of the key changes from the GDPR:
- Fines for breach of the law will increase from £500,000 to an upper limit of €20m or 4% of worldwide turnover, whichever is the higher
- All businesses will need to have a dedicated data protection officer where the business conducts regular and systematic monitoring of data subjects on a large scale
- All businesses will need to report data security breaches to the Information Commissioner’s Office (“ICO”) within 72 hours of becoming aware of the breach
- Using opt-outs and pre-ticked boxes for consent will no longer be valid. Any business using these consents after 25 May 2018 will need to seek new consent or else stop processing that personal data
- Individuals will have a new right to be forgotten, meaning that businesses must erase that individual’s data when requested to do so.
We are working with businesses from all sectors of all shapes and sizes to help get them GDPR-compliant. Ideally, businesses should be following the timeline below. If you're not, don't panic, it's not too late. But time is getting tight with the GDPR.
2017 Quarter 1: Planning. By the end of the first quarter most businesses should have a plan in place for GDPR compliance which includes things like (1) who is taking internal ownership of this compliance project (2) what is the scope of the project (3) what internal and external resource is needed to deliver this project? This is also the time to start training staff on the changes in the law.
2017 Quarter 2: Compliance Analysis. This is essentially a data audit for GDPR purposes which highlights key risks within the business and conducts gap analysis. It will involve speaking to key stakeholders and departments. The results will feed into your GDPR action plan.
2017 Quarter 3: GDPR Action Plan. By this point you should have your action plan in place and be implementing the changes in that plan. Those changes could include enhanced security, better organisational and reporting processes, new policies and renegotiation of key contract terms.
2017 Quarter 4 and 2018 Quarter 1: By the end of quarter 1 2018 the GDPR action plan should be finalised with all key risks resolved. If you haven’t already done so, this is the time to nominate a data protection officer.
GDPR comes into force (25 May 2018). Ensure on-going monitoring and compliance.
If you want to find out more about these changes and how they can affect your business, contact Matthew Holman.