Next year will see the implementation of the EU’s General Data Protection Law (GDPR) – the most significant change to data protection in almost two decades!
This law is a major consideration for EU businesses as it will strengthen and unify data regulation across the EU and give individuals more control over their own personal data, while introducing tougher fines for non-compliance and data breaches. Of course, this will also affect businesses operating in Jersey and Guernsey as the regulation will be adopted by the Governments of both islands and written into corresponding law.
From a technical perspective, GDPR introduces new requirements and rights including ‘the right to be forgotten’, which gives people the ability to request deletion of their personal data. ‘The right to data portability’, will ensure that data is provided in common formats so it can be shared between online services. Enhanced audit trails will become more important too, for example, GDPR will change the way websites must seek, obtain and record consent to use personal data. This means that any piece of data that could be used to personally identify people are covered by GDPR – this includes things like cookies, and will now also encompass IP addresses.
There is a tendency to believe that GDPR is only relevant to IT departments and that it’s all to do with system security and hackers breaking in to steal your organisation’s data. As ever, the importance of robust physical security remains paramount, but GDPR extends far wider than system security and will in fact affect all our industries and areas of business. Failure to consider the full impact of GDPR on your business could prove costly, as companies that do not meet its requirements could face reputational damage and even fines.
It is critical to recognise that GDPR compliance should be a shared duty – GDPR means organisations must respect and protect personal data no matter where it is sent, processed or stored. For most businesses, this will mean reconsidering internal policies and procedures, which are critical to demonstrating compliance in key areas such as risk assessment, implementing privacy by design and data breach notification processes. Your whole organisation should be made aware of GDPR, its ramifications and what must be done to comply with the law once it is actioned.
While this may seem like a lot of work, it’s not all bad news for businesses. The regulation is not designed to be unnecessarily onerous, it clearly recognises organisations’ need to handle data, but seeks to safeguard personal information and establish accountability – it is essentially preparing us for a world that is much more data-driven.
Of course, it will take time for tools and processes to bed in, which is why now is the time to think about GDPR. The new regulations come into effect in May 2018, which gives businesses across the Channel Islands the time to prepare for its impact.
In the meantime, I urge local business leaders to consider how this will affect your business. If you are unsure or need help to develop a plan for compliance that is relevant to your business, I would recommend seeking professional advice.
If you are seeking professional advice to ensure your business is GDPR compliant, please get in touch with our Team.