The UK may have voted to leave the EU – but that doesn’t mean you can ignore the GDPR. It will affect all UK business whether we are in, or out, of the EU. So you need to ensure you understand what GDPR is, how it will affect you and what you need to do to be compliant.
Although GDPR doesn’t come into force until May 2018, Jamie Graves, CEO of ZoneFox says implementation can easily take months – so it’s best to start thinking, and planning, as soon as possible. Graves advises the following:
The Commission defines personal data as "any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address." This definition means it is wide-ranging and will have an impact on any organisation, in or outside, the EU.
As the EU intends this regulation to apply to any and all data held on EU citizens, it will impact UK businesses that want to process or store EU citizen data. In other words, you will still need to comply with the new regulations even after Brexit.
One of the new changes to the legislation is the right of the citizen to be notified if their data has been breached or compromised. Included in the GDPR is a requirement for an organisation to contact their Data Protection Authority (DPA) within 72 hours of learning about a breach. No exceptions - with failure to comply resulting in potentially crippling fines starting at €10 million – or two percent of global turnover.
One of the big changes relates to the need to respond to any data breach within 72 hours of detecting it. This is a big ask considering it currently takes around 200 days to detect a breach. You can see this as a burden - or view it as the opportunity it is.
Continuous monitoring requires a set of capabilities that gives you insights into what's going on in your organisation every second of the day. However, there are supporting factors that contribute to this successful approach, which are:
UK companies have less than two years to implement GDPR processes and systems. Take a look at the handy downloadable timeline which will give you insights into what needs to happen, when you should start doing it, and how long it should take you.
The main takeaway? Don’t panic! There’s still time - if you start preparing now.
Read the August 2016 issue of Business Review Europe magazine.