The EU General Data Protection Regulation (GDPR) comes in to force on 25 May 2018. Despite the recent UK vote to leave the EU the UK government has said it will implement the GDPR in the form of a new UK Data Protection Bill currently going through parliament. This Bill will replace the current Data Protection Act (DPA).
The UK government will also adopt the same penalties for non-compliance with the GDPR.
It is backed up with a significantly higher fines regime for the most serious breaches of up to £17m or 4% of worldwide turnover (whichever is greater) and a requirement to notify personal data breaches within 72 hours where they are likely to result in a risk to people's rights and freedoms.
How is UK business preparing for this new set of data protection rules?
Well not very well if the most recent (20 September 2017) survey of preparedness by law firm Blake Morgan is accurate.
The survey has revealed that nine out of 10 businesses have still not made crucial updates to their privacy policies – a key requirement ahead of major changes to data protection laws.
As time runs out to comply with the GDPR, the survey found many organisations may be at risk of non-compliance, risking regulatory action and reputational and brand damage for not getting their house in order.
With the massive growth of the digital economy, GDPR represents the biggest shift in data protection for many years and all organisations which retain or process personal information will need to comply. The new law focuses on greater transparency as to how personal data is collected, retained and processed, makes organisations more accountable and gives enhanced rights to those whose personal data is being collected and processed.
Blake Morgan’s research revealed just over 10 per cent of those surveyed had updated their privacy policies to comply with the new law, while only a quarter had put in place systems to ensure data security breaches were notified in line with GDPR.
The findings showed almost 40 per cent of organisations surveyed had not taken steps to prepare for the new regulations, while more than a third were not confident they would be able to comply with GDPR by 25th May next year when the law comes into force.
A key finding was that just over a fifth of businesses surveyed were not aware of GDPR and the forthcoming and related ePrivacy Regulation and what these will mean for their organisation.
UK GDPR Awareness – September 2017
- Only around one in 10 businesses (13 per cent) had updated privacy policies, one of the significant requirements of GDPR.
- Almost a quarter of businesses (23 per cent) said they were unaware of the new data protection laws despite the looming deadline of 25 May 2018.
- Around four out of 10 businesses (39 per cent) had not taken any steps at all to prepare for the new law – leaving just months to act.
- Around four out of 10 businesses (38 per cent) were not confident they would be able to comply with GDPR by 25 May.
- Around one in five businesses (21 per cent) did not currently have a senior person in place responsible for data protection.
- More than three quarters of businesses (76 per cent) had not put in place systems to ensure data security breaches are notified in line with GDPR.
- More than three quarters of businesses (77 per cent) had not reviewed their data processing contracts which will be under greater scrutiny under GDPR.
- More than four out of 10 businesses (42 per cent) were unaware that the rules on direct marketing and the use of internet cookies are likely to change with the forthcoming ePrivacy Regulation which also has a target implementation date of 25 May 2018.
It is clear that a significant proportion of organisations across the public and private sectors are still underprepared for these major changes to data protection law and that there appears to be a genuine confusion among many business leaders about what the new law means and how to achieve full compliance.
Many organisations know they need clearer guidance and are becoming concerned over how they will complete the mountain of work they are facing because of the sheer volume of data and a limited timescale.
With the clock counting down to the law coming into force, we would recommend a focused effort by businesses to get to grips with the changes and implement a strategic plan of action.
We wholeheartedly agree with Blake Morgan’s assertion that GDPR Compliance is good corporate housekeeping. Not only will it avoid running the risk of financially damaging fines or sanctions – ultimately it will assure user and customer trust in your organisation at a time when data privacy and security are more important than ever before.