South West businesses urged to prepare for new GDPR legislation
With the countdown to the introduction of the General Data Protection Regulation (GDPR) well underway, audit, tax and consulting firm RSM, is urging South West companies obtaining and processing data relating to EU residents to complete their preparation for the impending rule changes, to help mitigate substantial financial and reputational risks arising from issues of non-compliance.
The new legal framework is the biggest change to data privacy legislation in over two decades, and aims to protect EU citizen’s personal data, regardless of borders or where the data is processed.
The regulations, which come into force in less than a year’s time on 25 May 2018, will transform how businesses need to store and manage personal or ‘person identifiable’ data. A failure to comply with the new rules could see some businesses facing significant penalties of up to €20m, or four per cent of annual global turnover.
An important factor is to ensure a business’ data processes protect the rights of individuals. Therefore an organised data protection programme will need to be established, with all data activities accurately recorded. Additionally to be included must be clear data asset registers and updated policies, as well as procedures for obtaining consent from individuals to hold their personal data. This obligation extends to any third-party contractors – or partners working with a business who process EU resident data on their behalf – and will present companies with much greater legal liability in the event of non-compliance.
Dan Maycock, risk assurance director at RSM, said: ‘The national WannaCry ransomware attack came as a stark warning that all companies are potentially at risk of a cyber-attack. Yet, as well as demonstrating the potential for unprotected companies to fall victim to this kind of crime, some could also find themselves on the wrong side of the law if GDPR regulations are not sufficiently adhered to. It is therefore ever more important for businesses to ensure robust defences are put in place as soon as is possible.’
‘Understandably, increased security system costs, the potential disruption of obtaining consent from customers and individuals and greater control over how staff access and use data are going to be great concerns for South West businesses, but getting caught out could equally incur crippling financial penalties and potentially irreversible reputational damage. For this reason, companies really cannot afford to take cybercrime or the new GDPR legislation lightly, and must do everything they can to prepare themselves. With rapidly changing technology and savvier modes of hacking, we are set to see many more attacks in the coming years if businesses do not act. Timely focus and investment in these key risk areas is a must.’