Friday 25th May 2018 is a day that sticks in the mind of anyone who has come across the letters GDPR. So, what does General Data Protection Regulation (GDPR) mean to business and what do we have to do?
EO Executives have been busy working with some of the largest European wide organisations supporting them with specialist GDPR subject matter expertise and Programme Management support.
We thought we’d share our observations…
Firstly, who does this apply to?
The GDPR applies to ‘controllers’ and ‘processors’. The definitions are broadly the same as under the DPA – i.e. the controller says how and why personal data is processed and the processor acts on the controller’s behalf. If you are currently subject to the DPA, it is likely that you will also be subject to the GDPR.
If you are a processor, the GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities. You will have significantly more legal liability if you are responsible for a breach. These obligations for processors are a new requirement under the GDPR.
However, if you are a controller, you are not relieved of your obligations where a processor is involved – the GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR.
The GDPR applies to processing carried out by organisations operating within the EU.
Will BREXIT impact the implementation of the GDPR?
The GDPR will apply in the UK from 25 May 2018. The government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR.
The ICO is committed to assisting businesses and public bodies to prepare to meet the requirements of the GDPR ahead of May 2018 and beyond. We acknowledge that there may still be questions about how the GDPR would apply in the UK on leaving the EU, but this should not distract from the important task of compliance with the GDPR.
So, what does this look like?
It is alarming that we have not seen a ‘tidal wave’ of companies start to address the GDPR issue, especially as the clock is ticking.
Perhaps organisations are simply unaware of the new legislation? Or maybe they believe that Brexit will mean compliance is no longer required? Regardless, penalties are 4% of business turnover.
Having already supported several major organisations with GDPR compliance and subject matter expertise / management support, these are our key observations:
1. Organisations are leaving it too late. For a while, we have been working with major European businesses, helping them prepare for May 2018. Every data expert we speak with believe organisations are running out of time.
2. Lawyers and GDPR. Many Lawyers are offering GDPR expertise and there is a place for legal advice. Nonetheless, data privacy and GDPR compliance is based on access, consent and the practical and pragmatic issues of controlling data. The IT department has a key role
3. The penalties of failing to comply are substantial. But will the ICO go out to set an example with a substantial fine? I suggest there may well be a waiver period to fix the issues. However, if an organisation cannot fix the issues within six months (for a large organisation this is not long) then the ICO could potentially instruct the organisation to cease processing data. This will effectively close the business.
4. Reputational risk is far greater than any penalty. We are currently working with a major European business; Their main concern is reputational risk. Hardly surprising when you look at companies like Talk Talk. Can you quantify those customers that went elsewhere?
5. Expertise is vital. GDPR is new and there aren’t many people or organisations with the relevant experience. EO Executives is one of those organisations who have a strong track record of providing major European organisations with subject matter expertise and programme management.
There are several individuals out there who have done a course in GDPR, but few with a track record. Our team have built a talent bank of top individuals with sound GDPR expertise. We are also connected with the UK’s leading Subject Matter Experts. First step is a health check to determine if there is a problem, the size of the gap and programme scale to address this. We believe this will also support any further discussions with the ICO
If you recognise the above, now may be a good time to consider giving us a call. Hiring the right expertise is not straightforward. EO Executives have the expertise and bank of individuals to support you and cost effectively address GDPR.
If you would like to discuss further, please call our experts on 01962 893 300 for a confidential discussion.
For more updates follow us below: