46 Business
SUSSEX LOCAL
Are local businesses ready for the GDPR?
Is your business ready for the introduction of the new General Data Protection Regulation in May 2018? The Information Commissioner’s Office (ICO) has advised that businesses should be forging ahead with preparations to comply with the EU GDPR regardless of Brexit. UK organisations cannot afford to lose the public’s trust in their ability to safeguard personal data and should be working to ensure they have that capability. A recent IT Security survey found that 61% of UK companies don’t realise that the new Regulation applies to them. The truth is that the GDPR will affect all companies in the UK. A further study has shown that 21% of senior management have little or no awareness about the effect that the GDPR will have on their organisation. While 31% of the companies questioned had experienced an incident in the last 12 months due to staff negligence or bad practice. It is essential that companies are made aware of the changes and new obligations in the legislation by May 2018 and time is running out. The Regulation contains new rights for people to access the information companies hold about them, obligations for better data management and a new regime of fines. Incidents with serious consequences can have fines of up to €20 million or 4% of a firm's global turnover whichever is greater. Under the GDPR companies will be more accountable for the handling of people's personal information. This will include having data protection policies, data protection impact assessments and data mapping showing how the data is processed. Companies will need to obtain consent and demonstrate why people's information is being collected and processed, providing descriptions of the information that is held, how long it is being kept for and descriptions of the technical security measures in place. The GDPR also gives individuals more power to access the information that is held about them free of charge. A major cause of data breaches is mobile working. Of the companies who were asked to name the greatest security risk to their organisation 51% cited outdated
software followed by 48% their employees. A further 38% of these companies said that they have no control over where company data goes or where it is stored. While 44% expect that mobile workers will expose their organisation to the risks of a data breach. To help prepare for the GDPR the ICO has created a 12-step guide which includes steps such as making key people aware of the Regulation, determining what information is held, reviewing current privacy notices, identifying the lawful basis for processing the data and what should happen in the event of a data breach. Eddie Finch and Tana Jackson are the GDPR Practitioners at Chapter Three Consulting who provide a GDPR compliance review for companies.