One year to GDPR: Is your business compliant?
In less than a year, the EU General Data Protection Regulation (GDPR) will come into force. The forthcoming guidelines are intended to create uniform data protection rules for EU member states. Despite Brexit, UK organisations that want to conduct business in the EU must also comply with the GDPR. The government has confirmed that the United Kingdom’s decision to leave the EU will not affect the commencement of the GDPR.
As the GDPR will be formally adopted on 25th May 2018, your organisation must begin taking the necessary steps, if you have not already done so. By that date, your organisation should complete the 12 steps outlined by the Information Commissioner’s Office (ICO), which can be found here. Especially if your organisation relies on a constant stream of prospect data for its sales pipeline, now is the time to audit that data to ensure you can keep prospecting and selling after the GDPR commences. If your organisation fails to comply with the new regulation and does not provide adequate cyber protection for your customers, you could receive sizeable fines and penalties.
The GDPR has a simple, two-tiered fine structure:
- An organisation may be fined up to €10m (roughly £8m) or 2% of its annual turnover - whichever is higher - for not properly filing and organising its records, for not notifying the supervising authority and data subject about a breach, and for not conducting impact assessments.
- An organisation may be fined up to €20m (roughly £16m) or 4% of its annual turnover - whichever is higher - for violating the basic principles related to data security or for violating consumer consent.