Article

Food for thought as D-Day for GDPR looms

GDPR appears to be the new buzz word on the street, with numerous articles, journals and books being published on the issue on a regular basis. But what exactly is GDPR and how will it affect Northern Ireland businesses?

General Data Protection Regulation, or GDPR, is the EU’s response to inconsistent data protection across member states and to the radically different ways personal data is being used in today’s society.

Essentially if an entity holds, stores or processes any personal data belonging to people within the EU then that entity will be required to comply with GDPR. The two year preparation period is nearly over with the deadline for full GDPR compliance on 25 May 2018.

An emerging misconception is that since GDPR was developed as an EU regulation it will not apply to the UK once it has left the EU. Clarification was provided in the Queen’s June 2017 speech where it was noted that, despite Brexit, GDPR will form part of UK law facilitating the sharing of data with EU states following the withdrawal of the UK from the EU. Notwithstanding this, if a UK organisation uses any personal data belonging to people in the EU (such as email address, IP address, phone number and financial data) it must be GDPR compliant. Therefore, it is important that the impact of its introduction is understood.

So what does compliance with GDPR involve? Unfortunately there is no short answer to this question, and it requires organisations and key stakeholders to take the time to familiarise themselves with the legislation and consider its inevitable implications. GDPR is not confined to multi-national corporations, all organisations regardless of size or sectors must ensure they are aware of their obligations to govern the control, storage and processing of any personal data belonging to people in the EU.

The cost of non-compliance is significant and any breaches of GDPR will be assessed, and fines administered, by the Information Commissioner Office (ICO). Fines will be very significant and can be up to €20 million (£17 million) or 4% of the global annual turnover (whichever is greater), besides any reputational impact.

It is likely that the ICO will take the view that given the two year preparation period and the widely publicised requirements there is little excuse for non-compliance. It is important that organisations act now to avoid such penalties.

To summarise, it is impossible to condense the 88 page long GDPR, 173 recitals and 99 articles into a few hundred words for this article however it is intended that this article may provide some food for thought on the potential impact of GDPR on local businesses.  The consequences of failing to comply could be costly, and business leaders need to ensure their organisations are GDPR-ready, and that management teams are up to speed with their responsibilities.