It’s now less than nine months until the General Data Protection Regulation (GDPR) storms into our lives. The fresh set of rules, which come into force on 25 May 2018, will completely disrupt the way businesses manage data, forcing some firms to drastically overhaul their processes.
The clock is ticking and many companies are clearly unprepared. In fact, research from law firm Collyer Bristow, published last week, found that 55 per cent of small businesses in the UK are still unfamiliar with the regulation. What’s more worrying is that 18 per cent of small businesses would be at risk of insolvency if they were hit by the new maximum fine for not complying – a painstaking statistic when you consider the impact this could have on an entire organisation and its staff.
Peter Alderson, managing director of business finance provider LDF comments, “GDPR has been on our radar as a business for some considerable time, and it’s come into increasing focus. Whilst we have made continued efforts to stay close to the regulation changes and prepare our business for such a broad change, the clear and present issue remains the lack of apparent clarity around this subject, and that has to be a worry for a great number of businesses currently.”
Previously, fines for breaching data protection rules were set at a maximum of £500,000. But companies that fall foul of GDPR will be subject to fines of up to €20m or four per cent of worldwide turnover, whichever is higher. So even for the big players, this new penalty is no walk in the park.
GDPR will apply to all firms that handle customer data, meaning no sector is immune. But Collyer Bristow’s research suggests some sectors are less familiar than others, with the real estate and construction faring the worst.
The GDPR deadline might seem like a while away yet, but companies are being urged to take action now. However, it’s apparent that some business owners are putting it off, partly due to the cost and resources needed, but also because there is still some uncertainty around the regulation, with some businesses unsure exactly how to incorporate the rules into their businesses, or how the rules will be enforced.
Peter comments further, “businesses need to have a firm plan for GDPR, and whilst there’s no clear ruling on the requirements yet, there are things that businesses can start to address now, to lessen the impact, from system capability analysis, speaking to your data providers on their plans for compliance to perhaps appointing someone internally, who will manage the change and adopt a stance on how this will be executed. With such a narrow window, it will pay to be prepared.”
There’s also confusion around how the rules will differ between the EU member states (yes, the UK is still expected to comply to GDPR, despite being embroiled in Brexit negotiations), and many firms are still waiting for more guidance.
So yes, we should be worried that so many companies are unfamiliar with the rules, but perhaps the government and the regulators need to do more to help businesses navigate the minefield.