by Ross Dyer
Organisations across the UK should be asking themselves “how do I prepare for the coming EU General Data Protection Regulation?” When it is finally enacted, it’ll be one of the most sweeping changes to Europe’s privacy regulations in a generation, and could levy fines as high as €100million or 5% of a company’s global revenue for non-compliance. Yet as Trend Micro research this year has shown, there’s still widespread apathy and ignorance amongst organisations.
That’s why we’ve been a vocal presence in the debate. It was also the driver behind our decision to host a roundtable earlier this month – featuring attendees from politics, business, law, diplomacy and the media, including former GCHQ boss Sir David Omand – to discuss how UK businesses should respond.
The big picture
Earlier this year, our research found that only half of UK firms are aware of the upcoming regulation, compared with 87% in Germany. It also revealed that only 10% of UK businesses believe they fully understand what they need to do to comply.
Yet as Charlotte Holloway, head of policy at techUK, argued at the roundtable, “We do more ecommerce in the UK than the rest of the EU combined. The UK is a leader and has companies that will be most profoundly affected by this.” There’s a clear need to better prepare for the new regulations, therefore, but what are the major proposals as defined by the experts?
Right to be forgotten – this has already come to a head in the courts after Google lost a high-profile case. Broadly speaking, it’s designed to enhance privacy by giving citizens the right to demand websites to take down out-of-date information about them.
Mandatory breach notifications – these will work like US-style laws to provide greater transparency into the loss of personal data by large organisations, and in so-doing hopefully force firms to take data protection more seriously.
Consent – current proposals would mean organisations have to obtain consent from citizens every time their data is used, which could increase the costs of doing business considerably.
Privacy impact assessments – these would be required under the new regulations before firms launch new products or services. The EU also wants to mandate that every large organisation employs an in-house data protection officer.
Time to prepare
So what advice did our collection of industry experts have for firms looking to pave the way for the new regulations?
Well, we argued that any plans should begin with strategy and policy – in particular knowing where your most sensitive data resides and being able to identify when there’s been a breach. KPMG partner Stephen Bonner added that organisations could do worse than to test their ability to respond to breaches. Shell’s data privacy legal counsel, Monika Tomczak-Gorlikowska, argued that the best companies will approach privacy with “proportionality, transparency and accountability” front of mind.
There’s still a long way to go before the regulation is enacted – potentially another two years, with a further “bedding in” period of several years after that. But to avoid a nasty surprise, and a hefty bill, further down the line, the smart move would be to start planning now.