Could new data laws end up bankrupting your company?

By Matthew Wall
Technology of Business editor

Image source, Getty Images
Image caption,
Many companies are in full "panic" mode, says KPMG's Mark Thompson

The European Union's General Data Protection Regulation (GDPR) comes into force in May 2018, radically changing the way organisations have to look after our personal data. Failure to comply could lead to huge fines, yet many businesses are far from ready. Here's why you should care.

What is GDPR exactly?

A new EU regulation governing how organisations should handle and protect our personal data.

Many of the stipulations are already covered by the UK's Data Protection Act; but simply put, organisations need to keep records of all personal data, be able to prove that consent was given, show where the data's going, what it's being used for, and how it's being protected.

Accountability is the new watchword.

If personal data gets stolen after a cyber-attack, companies have to report the breach within 72 hours of realising it.

And the definition of personal data has been extended to include extra categories such as your computer's IP address or your genetic make-up - anything that could be used to identify you.

Why should businesses care?

Non-compliance with the GDPR could lead to huge fines of 20 million euros or 4% of global turnover, whichever is the greater. For a company like tech giant Apple, that could amount to billions of dollars.

Consult Hyperion, an electronic financial transactions specialist, forecasts that European financial institutions could face fines totalling 4.7bn euros (£4.1bn; $5.3bn) in the first three years following the GDPR coming into force.

Image source, Getty Images
Image caption,
Is this your firm's attitude to GDPR?

Anthony Lee, a partner in law firm DMH Stallard, says: "Talk Talk [a UK telecoms company] was fined £400,000 for failing to prevent the 2015 customer data breach, but under the new regime fines could be many multiples of this."

However, a spokesperson for the UK's Information Commissioner's Office (ICO) - the body responsible for enforcing GDPR in the UK - says: "The new law equals bigger fines for getting it wrong but it's important to recognise the business benefits of getting data protection right.

"There is a real opportunity for organisations to present themselves on the basis of how they respect the privacy of individuals - and gain a competitive edge.

"But if your organisation can't demonstrate that good data protection is a cornerstone of your business policy and practices when the new law comes in next year, you're leaving your organisation open to enforcement action that can damage both public reputation and bank balance."

Why should consumers care?

The new regulation builds on existing data protection law, but strengthens the rules around customers' consent, giving us the right to withdraw consent whenever we like.

We already have the right to see what personal data organisations hold on us - we can make what's called a "subject access request" for free - and we can demand that such data be rectified or deleted under the "right to be forgotten".

Image source, Getty Images
Image caption,
The new regulation puts consumers back in the driving seat when it comes to their personal data

So in short, we have more control and power.

Are businesses prepared?

"Many businesses have no idea what to do and don't want to grasp the nettle," says Mark Thompson, a partner in KPMG's privacy advisory practice.

"There's a lot of misinformation and panic around at the moment, but if businesses don't take responsibility for this at board level they will fail.

"This will affect every part their business."

And Chris Daly, chief executive of the Chartered Institute of Marketing, says: "There is a real lack of awareness about this issue in our sector - 60% thought it wouldn't affect their business at all."

Image source, Getty Images
Image caption,
Many firms haven't even begun getting ready to comply with the new regulation

GDPR specialist EMW Law believes just 29% of UK businesses have begun preparing for the change, "a shocking figure, as on average organisations need 12-15 months to prepare", the firm says.

With cyber-attacks on the rise and growing in sophistication, data breaches are becoming almost inevitable. So will your firm be able to demonstrate that it took all reasonable steps to protect personal data from this threat?

Will it be able to show that it reported any breach within the 72-hour window following discovery?

What should they be doing?

One of the reasons many businesses seem unprepared for GDPR is that they don't know enough about the data they hold, argues Rashmi Knowles, European chief technology officer at security firm RSA.

"A lot of companies don't even know where their data is, how it is being used, or what policies are in place governing how it can be used," she says.

So the first and most important task is to carry out a comprehensive data audit and make sure the top brass are fully behind this.

More Technology of Business

Research by Sharp finds that a quarter of workers interviewed admitted to storing work information in the public cloud against company policy, two-fifths use their own devices at work, and a third take work home with them.

All these practices are potential security weaknesses.

Personal data - from customer databases to employee payroll information - may well be insecure without your firm even knowing it.

But ignorance of this will be no excuse under the GDPR.

What about sharing data?

"There are hundreds of thousands of documents online that shouldn't be publicly available," says James Chappell at security company Digital Shadows.

"Supply chains are often not looking after customer data properly."

And this is a point many companies are overlooking, warns Mr Lee.

Image source, Getty Images
Image caption,
If this is how your subcontractor treats customer data, you could be in trouble

"If you want to share data with a third party you must show that the sub-contractors will keep that data safe and private," he says.

"That's a big problem because most subcontractor contracts don't have these clauses in them. Organisations need to start renegotiating these contracts now."

What about Brexit?

Although the GDPR applies to data processing carried out by organisations operating within the EU, it also applies to organisations outside the EU offering goods or services to EU citizens.

The GDPR will replace the UK's Data Protection Act 1998 from 25 May 2018 and the government has confirmed that the UK's decision to leave the EU will not change this.

So Brexit is no "get of jail free" card.

What help is out there?

There are lots of companies offering to help organisations prepare for GDPR, and the UK's Information Commissioner's Office has an entire section of its website giving advice and information.

The European Union's GDPR website is also an obvious place to start.