Are you ready for GDPR?

GDPR (or General Data Protection Regulation) will replace the Data Protection Act of the mid 90’s. It will place greater obligations on how organisations store, handle and process data, with a greater significance on what consent has been provided and how it is documented. This applies both to external data, such as customer information, and internal data, such as employee information.

There are a set of guidelines that organisations must follow and one thing you can be sure of is that failing to act is not an option. Furthermore, if you are wondering ‘what will happen after Brexit’, then wonder no more, while GDPR is a Directive for, the EU, the larger part of it is being adopted by domestic legislation and will apply when the UK has finally negotiated its departure.

It is yet to be seen how effective the change will be but there is no question that protection of data is seen as sacrosanct and the maximum legal penalties are eye watering; up to 4% of turnover or €20M.

Organisations’ risk registers should consider the implications of a data breach including: who needs to be notified and by when, the practicalities of undertaking this within the required timescales, and the possible costs involved with notification (typically £50-£150 per record, depending on the type of data breached).

It is also important that organisations understand the potentially greater loss of a poorly handled data breach in the reputational damage they and their brand may suffer.

Insurers have responded to provide policies which can help if things go wrong, but this is a fast moving area of insurance and it is important to check the small print.

Spring is fast approaching and in theory organisations have had two years to prepare. If it hasn’t yet been done, now is the time to carry out an audit to review what personal data is held by you and why. Make sure the key people within your organisation are aware of the changes.