Is your business ready for the biggest change to data protection in a generation?

In just a few months, the most radical change in data protection legislation in a generation will come into effect.

GDPR will have widespread implications for all UK businesses.

The way we deal with personal data is set to change forever. It’s important that all businesses start to plan for how they will comply with the new rules.

What is GDPR?

This stands for the General Data Protection Rules which replace the UK Data Protection Act 1998 and harmonise data rules across Europe.

GDPR will apply from May 2018 and will come into force despite Brexit, the UK government has confirmed.

The rules impose greater obligations on businesses and organisations dealing with people’s data.

GDPR gives individuals more rights, and makes data regulation compliance far more important to the future of any business.

The bottom line is that the potential penalties for breaching the regulations are far more severe than those under the Data Protection Act.

Fines for the most serious breaches can amount to ￡500,000 or 4% of a business’ worldwide annual turnover, whichever is greater.

The stark fact is that from 2018, dealing with data properly could mean the difference between a business surviving or going bankrupt.

What do the regulations say?

The rules mean there will be data controllers and data processors – each with different legal responsibilities.

Data controllers must demonstrate compliance with relevant policies and procedures for dealing with people’s data, how they’re governed, keep records of processing, and ensure there are data protection officers and data protection impact assessments.

Data processors must ensure those policies are adhered to and that data is handled in a safe way.

The onus is also on businesses to report data protection breaches to the Information Commissioner’s Office (ICO) within 72 hours.

That must include the nature of the breach, the likely impact, and any measures taken to address it.

In high risk situations, the victims must also be contacted directly by the business.

The ICO now has the power to order data audits, too.

Victims also have the right to compensation.

Privacy notices must be clear, transparent, and issued when businesses collect or pass on data.

They must contain the retention period of that data and the individual’s rights when it comes to seeing what’s collected, restricting it, and objecting to the collection of that data.

From 2018, silence or pre-ticked boxes do not give businesses consent to collect data.

Consent can also be withdrawn at any stage.

The regulations do not apply to anonymised data.

What do businesses need to do?

Get a structure in place to deal with the huge changes GDPR will bring, including drafting company policies, drawing up privacy notices, and appointing data controllers to ensure policies are communicated and applied correctly.

All businesses will be expected to comply with the rules, no matter how large or small.

Businesses should also look at their cyber protections and their cyber liability insurance policies.

Having evidence of proper cyber security and systems to prevent hacking and other attacks will be an important part of ensuring any business complies with GDPR.

Should the worst happen, it’s vital your cyber security insurance gives you adequate cover.

Get GDPR ready. Talk to our cyber insurance experts at Severn Bay today on 02920 470375. You can get our free guide to small business insurance here.