The Changes to European Data Protection Laws

The Data Protection Act (DPA) will be replaced by a new European personal data regulation, called the General Data Protection Regulation (GDPR) in May 2018. This is a framework with greater scope and much tougher punishments for those who fail to comply with new rules around the storage and handling of personal data, and therefore SMEs need to start preparing for these changes now. Despite this new framework coming into place as the Brexit process unfurls, the Great Repeal Act means that it is likely that these new regulations will be converted into British law.

Why is the Data Protection Act Changing?

The Data Protection Act was developed in the 1990s, when only the largest companies had the means to collect and store significant amounts of data. However, since its adoption in 1995, the world of technology has changed beyond imagination. The current ease and sophistication of data collection means that thousands of SMEs not only collect personal details but store, move and access them online and personal data is used across all kinds of areas of business.

As a result, cybercrime has skyrocketed in recent years. Cybercriminals have seized numerous opportunities to commit major data breaches, which have given them access to names, birthdates, addresses and other sensitive personal information. It’s a huge problem: in just 2016 alone, UK companies have lost more than £1billion to cybercrime.

What does GDPR mean for SMEs?

A recent report from the Federation of Small Businesses has claimed that SMEs are now more likely to be targeted by cybercriminals than larger corporations as they are perceived as softer targets with fewer defence systems. There will therefore be a number of new conditions introduced by the GDPR that are intended to counter and minimise the risk to personal data, and SMEs should start to review how they will accommodate these changes as soon as possible. We’ve outlined just two of the key considerations below.

Changes to Consent

Under the new regulations, companies must keep thorough records of how and when an individual has given consent to store and use their personal data. The meaning of consent is changing, too. A pre-ticked box is no longer a satisfactory method to gain consent: instead, companies must show a clear audit trail to prove consent has been given.

Individuals will also have the right to quickly and easily withdraw their consent at any time. GPDR gives individuals the right to be forgotten, so when an individual withdraws their consent, their details must be permanently erased rather than simply deleted from a mailing list.

SMEs will therefore need to know precisely what personal information they hold and where it is located, and there will need to be practical procedures implemented to ensure the complete removal of data if a request is made.

Data Breaches

GDPR will force companies to inform the relevant authorities within 72 hours of a data breach. Monitoring protocols will need to recognise and act on breaches as soon as they occur, and incident recovery plans will need to be implemented so that the repercussions can be dealt with swiftly.

These new regulations will be demanding for companies of all sizes. Preparing for all this will require a full information audit and a change in culture for many companies. GDPR means the handling of personal data will need to be taken much more seriously.

How Can You Prepare?

With less than a year left before GDPR comes into force, it’s certainly time to ensure that your company meets security requirements. Achieving compliance requires a review of your entire security landscape and there are stiff penalties for those who do not comply. To find out more about how to deal with the new EU data protection regulations, you can download a recent white paper produced by BT.