The EU’s General Data Protection Regulation (GDPR) comes in to force on 25th May 2018. It is being implemented into UK law by replacing the Data Protection Act 1998, with the Data Protection Act 2018.
General Data Protection Regulation (GDPR)
The EU adopted the General Data Protection Regulation (GDPR) on the 27th April 2016, and it comes into force on the 25th May 2018. It is designed to enable individuals to maintain better control over their personal data, with one set of rules applying across the EU. There are two tiers of fines for non-compliance. The first is up to €10 million, or 2% of annual global turnover, whichever is the higher, in relation to breaches regarding record-keeping, security, breach notification, and privacy impact assessment obligations. The second is up to €20 million, or 4% of annual global turnover, whichever is the higher, in relation to breaches regarding legal justification for processing, data subject rights, and cross-border data transfers. The full nature, extent, and scope of the regulations are set out here.
Surveys Find That UK Firms Are Not Prepared For The General Data Protection Regulation (GDPR)
A recent survey found that less than 50% of businesses in the UK are aware of the new Data Protection Act 2018 (which implements the GDPR in to UK law). It found that:-
- Only 38% of business and 44% of charities had even heard of GDPR, never mind prepared in any way for it
- Of those that are aware of GDPR, only 27% of businesses and 26% of charities had made any changes in readiness for the new legislation. That amounts to just 9.88% of all businesses and 11.44% of all charities that took part in the survey
- Larger organisations were more aware of GDPR than smaller ones. 80% of large firms were aware of GDPR, 66% of medium sized firms, 49% of small businesses (10-49 staff), and 31% of micro businesses (2-9 staff)
- The most common types of changes made in preparation for GDPR were changes to practices and procedures, the providing of training, and the deployment of new systems
A survey by the Federation of Small Businesses (FSB) found that over 90% of small businesses were ill prepared for GDPR. The survey found that:-
- Just 8% of small businesses had completed their preparations for GDPR
- 35% of small business stated that they had begun their preparations, but that they were still at an early stage
- 33% of small businesses had made no preparations whatsoever
- 18% of small business owners admitted to never having heard of GDPR, whilst 34% conceded that they had little understanding of it. Just 13% stated that they had a complete understanding of it
- Businesses in the financial services sector are the most prepared (82%), whilst those in hospitality, arts & entertainment are the least prepared. In other sectors, 41% of businesses in the retail and wholesale sector had not started their preparations, whilst 37% of construction businesses and 28% of manufacturing businesses had not started theirs.
In a separate survey by the Direct Marketing Association, they found that over 40% of marketing business were not ready for GDPR. Direct marketing is one of the sectors that will be most affected by the changes being introduced by the Data Protection Act 2018. The greatest concern (28%) about GDPR amongst marketing business is the definition of consent, and the removal of implied consent.
Just 80 Days Left To Prepare
Given the new level of fines that can be imposed, which could be enough in many cases to send firms under, it is essential that firms use the time that is left to prepare sufficiently for GDPR. The Information Commissioner, Elizabeth Denham, urges businesses to make use of the guidance on the ICO’s website. She states: “organisations are beginning to embrace the GDPR, seeing it for the opportunities it presents rather than the perceived barriers it throws up. [The ICO guidance] sets out our approach to help create a regulatory environment where data subjects are protected and businesses are able to operate and innovate efficiently in a digital age. These two must go hand in hand – privacy and innovation. Support, education and guidance is at the heart of our regulation, but it is backed up by tough action where obligations are not met or ignored. We will also reserve our strongest sanctions for breaches involving novel, technological approaches that present a high degree of intrusion into people’s privacy. We all need to do things differently to meet the requirements of data protection reforms. But you have to take the people with you. This is change. This is change for the good.“