Hundreds of thousands of UK businesses will be potentially at risk of huge fines by not complying with the forthcoming EU General Data Protection next May, according to latest research.
The research, which was conducted in between April-May 2017 amongst business owners, directors and senior management in the UK, revealed that whilst more than two thirds are aware about forthcoming regulation and when this is coming into effect, seven in ten businesses have not allocated any budget to facilitate compliance with the regulation.
Furthermore, the research found that the majority have not appointed a Data Protection Officer and more than a third of open ended answers amongst respondents revealed they are not planning to do anything about the regulation or do not know what has to be done. When asked if what would be the main reason for not preparing for the regulation: 15 per cent believed Brexit would preclude UK businesses from having to comply, 12 per cent simply do not have the funds to comply, 10 per cent did not want to get caught up in red-tape and 11 per cent did not consider there to be a business risk
Other businesses also believed their size removes the requirement to comply, yet when the GDPR comes into effect it will introduce a number of key changes which will impact organisations regardless of size or turnover.
Crucially the regulation requires additional information to be supplied to individuals, including the need to identify the legal basis for processing data and the right for individuals to complain to the Information Commissioners Office if there is any problem with the way an individual’s data is being managed – for example if there is a data breach or data is being passed to third parties without express consent.
Businesses will be required to obtain a positive indication of agreement to personal data being processed. The consent cannot be inferred from silence, pre-ticked boxes or inactivity;
Consent will be required for processing children’s data. Businesses will need a parent or guardian’s consent in order to process children’s personal data lawfully;
Rules for obtaining valid consent have been changed. The consent document should be laid out in simple terms. Silence or inactivity does not constitute consent; clear and affirmative consent to the processing of private data must be provided.;
The appointment of a data protection officer (DPO) will be mandatory for certain companies. These include all public authorities. In addition, a DPO will be required where the core activities of the controller or the processor involve “regular and systematic monitoring of data subjects on a large scale” or where the entity conducts large-scale processing of “special categories of personal data”.
Firms whose core business activities are not data processing are exempt from this obligation. The GDPR does not specify credentials necessary for data protection officers, but does require they have both “expert knowledge of data protection law and practices”, report to the highest management level of the organisation and have adequate resources to enable the organisation to comply with the GDPR.
Simon Wright, Operations Director, CareersinCyberSecuity.co.uk comments: “Whilst some businesses will be exempt from appointing a Data Protection Officer, there are hundreds of thousands of businesses currently exposed because they do not have the right calibre of staff to deal with data protection law and practices and ensure they can honour all the obligations under the GDPR.
“Experts in the data protection field, could find themselves in high demand and in some circumstances in a good position to name their price, as there is currently an estimated shortfall of 7,000 DPOs in the UK alone.”
Matthew Pryke, a partner at Hamlins who regularly conducts data protection audits for SMEs comments: “Despite awareness about the GDPR, too many businesses are complacent and think because of their size or nature of business they are somehow exempt from having to comply.
“Regardless of Brexit, this regulation – even with the words EU fronting the name – will still apply for all businesses operating in the UK. Those who leave it to chance and don’t prepare now, could be left high and dry if the Information Commissioners Office find businesses breach regulations.”
