A survey carried out by the Institute of Directors between July and August this year found that 30% of business leaders had not heard of the General Data Protection Regulation (GDPR) that comes into force on 25 May 2018. Almost 900 members of the IoD were surveyed, with 4 in 10 stating that they don’t know if their company will be affected by the new legislation.
The GDPR will apply to all companies worldwide that process personal data of EU citizens and, although the deadline is fast approaching, many businesses are still unclear about what steps they need to take to ensure that they are compliant.
The GDPR introduces the need for tighter security around personal data than the existing UK Data Protection Act (DPA) and it will be enforced by a stricter compliance regime. The level of fine for a data privacy breach will rise from a ceiling of £500,000 under the DPA to 4% of global annual turnover or €20m, whichever is the higher.
GDPR and cyber security
There is a close correlation between data protection and cyber security. Figures released by the Department for Culture, Media and Sport in April this year found that 46% of all businesses had identified at least one cyber security breach or attack in the last 12 months, but only 26% of breaches were externally reported to anybody outside of an outsourced cyber security provider. This is despite the fact that, when the GDPR is in force, failure to notify a data breach within 72 hours carries a penalty of up to 2% of global annual turnover or €10m, whichever is the higher. The increasing volume and sophistication of cyber-attacks represents a substantial risk to GDPR compliance.
Compliance draws on a combination of people, processes and technology. Organisations will be required to provide proof of compliance with the GDPR, placing the onus firmly on the company to document how it gathers, processes and protects personal data. Any new processing of personal data requires a privacy risk assessment to be performed and documented as part of the evidence of compliance.
Key provisions of the legislation include:
- Data portability - the right for a data subject to receive the personal data concerning himself/herself, which he/she has previously provided, in a 'commonly used and machine-readable format'. The data subject also has the right to transmit the data to another controller.
- The right to be forgotten - entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data.
- Privacy by design - calls for the inclusion of data protection at the system design stage, not as an add on later.
The technology that underpins the collection and storage of data may require additional functionality to ensure compliance.
Where to start: technology-led assessments
GDPR will impact organisations in different ways, depending on the types of personal data that a business is processing. The first step is to discover and establish a baseline of the current state of the data being processed versus what is needed to meet the demands of compliance, so that any key gaps can be quickly identified.
Intuitus now offers a GDPR readiness assessment within the scope of all due diligence engagements. This service looks at and measures whether an organisation is on track to achieve GDPR compliance by May 2018. The assessment focuses on three key areas:
- Based on the types of data being processed, how significant is the introduction of the GDPR for the company?
- What approach has been taken to ensure compliance with the GDPR?
- Are there obvious gaps in the current approach being taken to achieve GDPR compliance?
With a deep, sector-relevant expertise in technology and IT due diligence and cyber security, Intuitus is uniquely positioned to advise on the impact of GDPR. The regulatory and compliance framework is having an increasing impact on the technology and IT landscape, as evidenced by the GDPR. As the needs of our clients and the private equity industry evolve Intuitus is committed to continually adapting the services we offer to meet those demands.
To find out more about GDPR readiness assessments speak to one of the Intuitus team today.