Preparing for the GDPR – what UK businesses need to know

Jon Fielding, Managing Director, Apricorn EMEA

Businesses have just over one year to get ready for the General Data Protection Regulation (GDPR).

The GDPR is the European Union’s new data protection legislation, officially known as the Directive 95/46/EC, which will unify data protection laws across the EU and comes into effect from 25 May 2018.

Under the new set of rules, EU citizens will have much more control over their personal data. Organisations must seek explicit consent from consumers for data collection and provide details on what information is collected and how it is used, processed and stored. Users can demand the full deletion of all their details and can also request that their data be provided to them in a portable format for transfer between data processing entities.

The onus on businesses is significant. They must have systems and processes in place to comply with citizens’ rights and many will need to appoint a data protection officer. After all, non-compliance can come at a huge cost with fines up to 20 million Euros or four percent of a company’s annual global revenue.

The new laws will apply to any company, whether within the EU or not, if it is processing the personal data of EU citizens as a consequence of offering goods or services (even if there is no charge) or if it is monitoring their behaviour, as far as their behaviour happens within the EU.

What does this mean for UK businesses?

Even though there is a confirmed date for triggering article 50, Brexit continues to cause uncertainty, but this certainly isn’t an excuse to do nothing.

The UK currently has the existing data protection act in play, which is administered by the Information Commissioners Officers (ICO). The ICO has the power to apply fines to UK companies in breach of this act, albeit at a much lower threshold than the GDPR proposes. A number of companies have fallen foul of the ICO, TalkTalk being one of the most high-profile recent examples.

Most industry experts, including the ICO, expect that UK legislation will adopt GDPR in its majority, if not totality, to avoid any conflict for UK businesses that process EU citizens’ data. This will likely be a major topic within the trade deals that will be negotiated once article 50 is triggered and presents an interesting challenge set against the sovereignty tenet held in support of Brexit.

Preparing adequate security

Under the GDPR, businesses will have an obligation to implement adequate security measures to protect any personally identifiable information of EU residents they process, or risk being fined. Personal data in this context is wider than would normally be expected (name, address, date of birth, financial information, etc.) and is deemed to be anything that can be used to identify a citizen including, but not limited to, ethnicity, IP address, genetic and biometric data.

Businesses are well advised to prepare in advance of any new legislation. While it is not entirely clear exactly how the new legislation will be applied in the UK, one thing that is certain is that large swathes of the GDPR will apply if the UK wishes to continue its commercial relationship with the EU.

Organisations need to analyse the data they collect today and remove anything identified as unnecessary. They will also need to document exactly how data is processed, stored, retrieved and deleted through its lifecycle, and pinpoint where data may be unprotected and/or at risk. This thorough analysis will then enable them to identify technologies, policies and processes that can remedy any shortcomings.

Businesses ought to specifically think about how data is protected outside of their central systems, both on the move and at rest. If data is being transferred outside of the company or between systems, they need to research, identify and mandate a corporate-standard encrypted, mobile storage device and ensure its use is enforced company-wide through policies – such as locking down USB ports so they can accept only that device. The IT department should be able to pre-configure those devices to comply with their security policy, such as password strength, to facilitate fast rollout to a large number of users.

Whilst there is no immediate need to panic, the challenges UK businesses face with Brexit and GDPR will soon arrive. It would be prudent to start to prepare now and address areas we know will be required so that the foundations are in place once we have absolute clarity.