Fines of up to €20 million for breaching new GDPR data rules are giving organisations a very good incentive to get their house in order.

Recently, our panel of advisers highlighted how EU data protection and privacy laws are changing. Here, Martin Hoskins, an associate director in our Business Risk Services team reviews the EU General Data Protection Regulation (GDPR), which is coming into force in May 2018 and will have serious consequences for those violating the new rules.

What does the GDPR mean for businesses?

The GDPR will apply in all EU member states and will mean that organisations will have to provide much more information than they do currently. They will need to tell both employees and customers how their personal data is being used and protected, and their rights, such as:

  • the right to be forgotten by the organisation
  • the right to restrict processing of personal data
  • the right to move personal data to other organisations.

In addition, all significant data breaches will have to be notified to regulators within 72 hours.

Senior management teams will need formal assurance that their data protection processes and procedures are fit for purpose – if they’re not and a serious violation of GDPR rules occurs, the penalty is up to €20 million or 4% of their global revenue (current fines are capped well below this).

How to prepare for the GDPR

We advise taking professional advice to help ensure compliance, for example, by putting the following actions into place:

  • carry out a gap analysis of business processes or policies that need to be upgraded
  • help draft appropriate policies and procedures to ensure compliance with GDPR
  • set up a crisis management and incidence response service for if the worst occurs.

For more information on our services and how you can prepare for the GDPR, contact our Business Risk Services team.