There is a little over a fortnight to go before the General Data Protection Regulation (GDPR) is finally implemented. But even if your company has fallen behind, and is struggling to meet the May 25 deadline, there is some good news. It is never too late to get GDPR ready.
For the best part of 2 years, the world has been preparing for what is the single most significant development in business and service data storage, privacy and protection. And yet, recent figures suggest there is little chance that all businesses will be ready in time. According to the UK’s Federation of Small Businesses (FSB) just 8% of small businesses are GDPR ready, while across Europe, just 5% of EU companies say they are fully compliant.
But despite not quite being there, there is no need to dread the final days of May. There is ample scope for every business to finally get their procedures and policies up to scratch and enacted. Here are 3 factors to consider.
1. Proof Of Endeavour
Being GDPR ready is only the starting point of a new subject-focused data privacy culture. In effect, it changes the focal point from how it impacts on businesses to how it adequately protects the privacy rights and freedoms of employees, clients and the public.
For this reason, it’s important to have at least taken steps to address the regulations to clearly show an intention to become GDPR compliant.
- Review what you have to do – know what you have and how it must change, so you know who nig the undertaking is going to be. Look at things like the type of data you are currently storing and whether you need to, and where the data is stored.
- Develop a detailed plan – identify the changes that need to be made to policies to procedures, and what new procedures must be introduced (notification, consent, request, reporting).
- Show you have started acting on it – be on the road to compliance, starting with appointing a DPO. This shows the authorities you are endeavouring to get to where you need to be, and not ignoring your new responsibilities.
It’s good to begin with notifying people of their rights to personal data access, deletion and rectification. Also let them know the important of consent, and their rights to it. But be sure that everything is clear and concise, with no details omitted.
2. ‘Real’ GDPR Fines
Failure to comply can be very costly, with the most common financial punishments quoted being fines of up to €20 million, or 4% of the annual global turnover (whichever is greater). But, for most businesses, these are impossible fines to pay – a small company employing 30 people can hardly afford to pay €20 million in fines without closing its doors.
In fact, according to Article 83 of the GDPR, there are actually 2 tiers of punishment, with the lower tier half that of the first – a maximum fine of €10 million, or 2% of global annual turnover.
Tier 2 will apply to cases where regulations relating to data integration, data protection, data processing records, cooperation with the data regulator and data breach reporting have not been adhered to. More serious failures, like failing to protect a subject’s data rights and freedoms, failing to secure consent, and non-compliance with a prior order from the regulator, are set to face Tier 1 fine structure.
3. Regulator Responsibilities
Finally, while media headlines warn of crippling fines and an iron GDPR fist, the reality is that regulators have a responsibility to be fair.
Regulators will consider the nature of the infringement, its gravity and duration, the existing procedures, and the degree of damaged affected subjects may have suffered.
This is in line with current practice, where the vast majority of cases result in warnings and recommendations. In fact the Information Commissioner’s Office (ICO, in the UK) issued only 16 fines over 12 months from 2016 to 2017 out of a total of 18,300 data protection cases. These fines related to only serious breaches and totaled about £1.6 million.