New fines for non-compliance
Firms ‘unaware’ of data rules shake-up
Many businesses remain unaware of the biggest shake-up in data protection laws for 20 years and risk huge fines if they are not compliant by next year.
With just a year to go until new rules are introduced, 25% of British businesses and organisations in the UK are unaware of the new legislation and almost half have yet to start preparing for its introduction, according to a survey by Ipsos MORI and Scottish law firm Brodies.
The General Data Protection Regulation (GDPR) comes into force on 25 May 2018 and will impose strict new rules on the way that organisations collect, store and use personal data.
Currently, the Information Commissioner has powers to issue fines of up to £500,000 for data breaches. However, under the GDPR the maximum fine for the most severe breaches will be €20 million (£17 million) or 4% of a business’ worldwide turnover.
The regulation, which replaces the current Data Protection Act 1998, will also herald the end of the pre-ticked ‘opt-in’ boxes that are widely used on websites for marketing purposes.
Instead, those handling personal data will be required to seek consent through “affirmative action” from individuals and will have to explain to them how their data will be used, how long it will be kept and how it will be safeguarded.
The survey of private and public sector organisations across the UK carried out by Ipsos MORI on behalf of Brodies reveals a low level of awareness and preparedness despite the risks of non-compliance.
As a first step towards compliance, organisations that handle personal data should carry out an information audit to identify what personal data they hold, where they hold it, where it came from, what they use it for and with whom it is shared.
Despite the fact that 74% of the 92 respondents believe the GDPR will have a “high” or “medium” impact on their organisation, 45% of respondents have yet to carry out such an audit and 8% don’t know whether they have.
Positively, when asked about their organisation’s readiness for the introduction of the new legislation, just over two-thirds of respondents (67%) said they were on track for compliance by 25 May 2018, although 11% said they were unlikely to be compliant by then and 17% did not know. Just 5% said their organisations are ready now, a year ahead of the deadline.
The biggest obstacle to GDPR compliance identified by organisations was resource, followed by the need for cultural change, lack of regulatory guidance, budget constraints and lack of clear internal ownership / responsibility for compliance.
Commenting on the survey’s findings, Elizabeth Denham, UK Information Commissioner, said: “Together with government and European authorities, we’ve been reaching out to organisations to help them get ready for GDPR since March 2016, but we know there are organisations which have yet to engage. With one year to go, there’s still time to prepare, but there’s no time to waste.”
Grant Campbell, head of Brodies’ commercial services division, added: “Personal data is the lifeblood of many organisations and, increasingly, how they handle that data is a matter of concern not just to regulators but to us all.
“Meeting the requirements of GDPR is a regulatory compliance issue but it also protects organisations from brand and other reputational damage and that will be increasingly important if individuals are to trust them with their data and business.
“These survey results show that, for many, there is a lot of work to do if GDPR compliance is to be achieved by May 2018.
“While 67% of organisations are confident that they will be ready, it is difficult to reconcile that statistic with the finding that over half of organisations have not (or don’t know whether they have) conducted an information audit, which is an essential building block for a compliance strategy.”