With the nation’s decision to leave the EU came lots of questions about our regulatory environment, both in terms of current laws and also ones due to come into force. One in particular is GDPR. A major improvement and modernisation of how we manage and use data, the long awaited data protection regulation will come into force in just one year, before we actually leave the EU.
With these two major developments in our nation’s history, can come some confusion, but I’d say there are five things you need to know and do to get your head around them:
Regardless of what any naysayers or sceptics might say or hope, this legislation is coming. In fact the deadline of 25th May 2018 has been confirmed in spite of the referendum result.
Until the point we eventually leave the Union GDPR will be applicable to our businesses. In fact regardless of whether we are in or out, Theresa May already indicated that she intends to keep GDPR as a UK law and this has been welcomed by many people in legal, technical and corporate circles. Having our own GDPR would not only help us to better protect user data, but more importantly help UK businesses remain competitive when with dealing with Union-based organisations.
After all, we’ll still do a significant amount of business with Europe.
Don’t ignore it
When the legislation comes into force the UK will still need to abide by it, because we will still be part of the EU at that point – no let off for us, which means we will still be liable for any fines and punishments for failure to comply. Don’t be complacent and think a slap on the wrist will be the only punishment for breaching the rules, as fines are set to dramatically increase. Reported penalties for failing to comply with GDPR could be a maximum of €20 million or 4 per cent of annual global turnover. Not even to mention reputational damage. In other words, your business could be dead and buried.
The Information Commissioner’s Office (ICO) has advised that businesses should continue to prepare for GDPR in the face of Brexit. If you haven’t already done so, start reviewing which parts of your business, established in the UK, may be affected by proposed changes, along with the parts that offer goods and services to, citizens in the EU/EEA. In fact the territorial scope of GDPR goes beyond the EU so check all of your international transactions.
Small to medium business will have the benefit of being much more flexible and reactive than larger counterparts so can start to make necessary changes sooner rather than later. After all it is much easier to build the relevant process now, in advance, rather than retro-build in a rush closer to the date.
Allocate a budget
As with any new legislation, particularly with an IT focus, there will be an initial investment on the road to compliance. Whether that’s investing in new systems, or enhancing the ones you already have, there will be a cost. Depending on the level of expertise available in your business, appointing a data protection expert could be a wise investment, even if just on a short term basis.
With a regulatory change as significant as this, I can’t stress the importance of seeking advice. The right expert adviser can help you to get to grips with the intricacies of how you use, store and share data and how the introduction of GDPR will ultimately impact your business short and long term. But a good adviser will also be able to foresee any potential issues and how you can mitigate them in order to avoid the extortionate fines I mentioned earlier. So look into GDPR advisors but also software experts to help guide you along the correct path.
Brexit is coming. So is GDPR. But with the right planning, preparation and support small to medium businesses can still thrive.
Mark Woolley is commercial director for Reckon, developers of Virtual Cabinet