Despite organisations being given a two-year period for preparation, numerous reports have shown many businesses are still unprepared for the implementation of the General Data Protection Regulation (GDPR), which is set to come into force from 25 May 2018.
Although ensuring compliance with the GDPR may be technically challenging for companies – whether in the IT sector or other areas – the new regulations are beneficial to both consumers and businesses in the long run. In this blog post, we have highlighted the positives of the new regulation, along with its relationship with the IT sector.
How will the new regulation help businesses?
The GDPR is a catalyst of tremendous change in how data is collected and used, seeking to replace the old and outdated Data Protection Act 1998. Although the initial costings of such changes in businesses may be significant – research by the UK’s Ministry of Justice estimated that it would cost nearly £320m for UK businesses to meet the requirements of this regulation – it has been estimated that the single law could eventually help generate cost savings for businesses of around €2.3 billion a year.
Further, as the GDPR outlines a single set of rules - meaning that it makes it easier for businesses to abide by the law – a part of this cost saving may be the reduction of administrative costs. GDPR will assist in avoiding situations where conflicting national data protection rules may complicate and delay the cross-border sharing of data.
Strengthening Europe’s data protection standards also means that business opportunities are created. This is ultimately because data is effectively the currency of today’s economy: it is collected, reviewed and analysed, and shared across the world, therefore gaining huge economic significance. Some estimate that the value of European citizens’ personal data could grow to nearly €1 trillion annually by 2020.
How will the new regulation benefit customers?
Customers will ultimately be more confident that their data is stored safely and in line with legal standards. The regulation will enforce numerous regulations that will work towards this objective. The GDPR stipulates that data is to be deleted if an individual no longer wants their data to be processed, providing there are no legitimate grounds for retaining it. This is termed a “right to be forgotten”.
Further, customers will have more information on how their data is processed – which should be clearly available – and a right to know when their data has been hacked. Organisations and companies are obligated to inform the national supervisory authority of data breaches that put individuals at risk, whilst communicating to the data subject all high risk breaches as soon as possible, so that users can take appropriate measures.
Another essential element in the EU data protection rule is ‘data protection by design and by default’, meaning that safeguards will be built into products and services from the earliest stage of development, and privacy-friendly default settings will be the norm.
How will it affect the IT and communications sector?
Ultimately, any IT business that directly deals with the personal data of EU citizens will be affected by the GDPR.
2017 witnessed a year of high-profile cyber-security issues, concluding with a PayPal data breach that exposed the personally identifiable information (PII) of 1.6 million customers, demonstrating that firms holding personal data are far more likely to be attacked, and therefore it is even more pressing for IT and communications companies to ensure they are abiding by new regulations.
This is further highlighted in the Cyber Security Breaches Survey 2017, which reveals that nearly seven in 10 large businesses identified a breach or attack, with the average cost to large businesses of all breaches over the period being £20,000 and in some cases reaching millions. The survey identifies that businesses holding electronic personal data on customers were much more likely to suffer cyber breaches than those that do not (51 per cent compared to 37 per cent).
The need for businesses – both within and outside of the IT sector – to abide by the GDPR is made even more pressing by the hefty fines that are in place for inadequate data protection measures. Violations of certain regulations mean that organisations could be hit with a €20 million penalty, or four per cent of annual global turnover.
The combination of the pressing issue of cyber-security and the impending introduction of GDPR signals the growing importance of data protection in today’s modern, digital world.
Having a sufficient IT infrastructure is a fundamental component to any organisation that wants to function efficiently and effectively in this economic market.
The UK has recently opened its new National Cyber Security Centre, which is part of a £1.9bn five-year strategy by the UK government to tackle cyber crime.