How the EU’s new data law affects you regardless of Brexit

PHIL REED

It doesn’t matter whether you voted Leave or Remain back in June, or whether your business has any offices or staff situated in the EU outside of UK borders. It doesn’t matter if you like it or not – your business needs to be aware of the new EU General Data Protection Regulation (GDPR) or face potential fines of up to 20 million Euros (£17 million).

That’s not just because the UK is going to stay part of the EU until at least two years after Article 50 of the Lisbon Treaty is invoked. It isn’t even because the UK government will probably need to continue subscribing to key pieces of EU business legislation like GDPR in order to grease the wheels of any post-Brexit free trade settlement.  The rules apply to ANY economically active organisation from Tidmouth to Timbuktu that holds personal information about EU citizens.

True, microbusinesses and those with highly localised customer demographics are going to feel pretty safe knowing that, but most others will have some history of trading with organisations and individuals in Ireland or on the continent. And – even if not – let’s hope enough of us at least have the aspiration to do so, to support the export-orientated focus the UK will need in order to prosper in future!

Did you know, for instance:

  • Contravening GDPR rules on things like data security and confidentiality could mean fines of up to 20m Euros, or 4% of annual turnover – whichever is higher. What’s more, your standard company “D&O” insurance covering directors and officers might be invalid if you do nothing to address this legislation.
  • GDPR gives citizens new rights over their data that go beyond the UK Data Protection Act and other powers currently in force. These include greater rights to:
    • Have access to their data within one month, including a summary of how their data has been processed and used.
    • Transfer their personal data using a structured and commonly used format
    • Have their data be erased, rather than merely ‘forgotten’.
  • GDPR is in place now, though it won’t technically be applied until 2018 whereupon sanctions will be imposed for non-compliance.

Some of the key actions organisations will need to address include:

    • Educating staff about GDPR so that they know how to record data properly and not informally, or risk messing up the process of dealing with data access requests.
  • Assess data stores, sources, processes and objectives so that you know where all data is kept and controlled. Ultimately this will help establish a beneficial data strategy that could drive significant value into your business – not just a means of achieving GDPR compliance.
  • Evaluate technology solutions to support the data strategy. Aside from the obvious considerations about security infrastructure, data encryption and so on, one key concern raised by GDPR concerns the ‘territoriality’ of data in terms of where it is stored using public cloud services.

The first step to addressing any problem is to admit you have a problem. If GDPR looks like it could be an issue for your business, don’t bury your head in the sand because it will absolutely not go away.  At Comtec, we’ll be happy to talk you through your present data strategy and find solutions to take you to compliance and beyond.