With only eighteen months to go until the General Data Protection Regulation (GDPR) takes effect, leading law firm Foot Anstey is advising businesses to get prepared.
It is widely acknowledged that existing data protection laws are no longer fit for purpose due to advances in technology and changes in business strategy and consumer focus, hence the new regulations represent the biggest change in European data protection laws in twenty years. The GDPR will take effect on 25 May 2018, with Brexit making no difference to this timeframe (as confirmed recently by the ICO, the UK's data protection regulator).
The GDPR introduces a number of new concepts and significantly raises the bar across the board (though barely any of the fundamental elements of today's laws have been scrapped). One of the most important changes for businesses to note is that maximum fines have substantially increased – under the new laws fines will be up to the greater of €20 million or 4% of global annual turnover.
Martin Cuell, Partner and and Technology lead, said: "Data protection is a critical issue for most businesses; on the one hand recent high profile cases have drawn attention to the reputation risks around data breaches, while managing data effectively can transform businesses and generate new opportunities.
"What's clear is that the days of treating data protection as an afterthought, or fumbling around for quick fix solutions when issues crop up are over – organisations are going to be required to tackle this head-on at the most senior level."
Alexandra Leonidou, Senior Associate, has recently joined Foot Anstey from an in-house role at Warner Bros. Entertainment and is a specialist in data protection. She has produced a practical guidance note for businesses:
"With only eighteen months to go until the GDPR takes effect, businesses can and should be preparing now so that they are on the front foot. The most important things to consider are:
- Accountability: The first step will be to put someone or a team in charge of leading this area.
- Awareness: Raise awareness among key stakeholders about the importance of the GDPR – this isn't just something for IT or data officers. Boards should be aware of the risks, HR teams need to think about employee data and getting GDPR compliance right will be critical for marketing and communications teams' activity.
- Audit: Conduct a data mapping exercise – do you know what data you have and where it is?
- Assess: What are the gaps revealed by your audit? Where are the easy wins? Where are the opportunities? Prioritise accordingly.
"The final thing to remember is that you can drive engagement by making this more than just an exercise in compliance. Today's technologies and marketing practices mean that there are endless opportunities to extract value from your data – getting ready for the GDPR may actually facilitate this and will lower the risk of doing so."
For further information or to request a copy of Foot Anstey's practical guide to the changes ahead please email email@example.com