GDPR is Now in Force- Did Businesses Do enough to prepare?
Mon Aug 20 2018
As we all know, General Data Protection Regulation (GDPR) is the legal framework that sets guidelines for the collection and processing of personal information within the European Union, and it came into force on 25th of May 2018. But we’re a couple of months beyond that now – so why am I bringing it up again? What could I possibly have to add to one of the most talked-about topics of recent years?
The whole thing reminds me a little of that morning the new millennium dawned, (remember Y2K and the ‘bug’?) when despite all the hype, warnings, and doom foretold… we were all still here, life went on, and it was business as usual. Of course, the nature of the changes under GDPR mean that the impact was never likely to be immediately felt, and I don’t mean to be flippant – data protection is after all a very serious matter, as are the potential consequences for businesses who breach it.
So are businesses now compliant? Are directors and compliance staff sleeping easily? While it’s not possible to say, I’d imagine not. Research published at the start of the year from the SME Association’s GDPR Survey indicated that 82% of businesses were aware of GDPR, however 62% of businesses could not name any changes GDPR would bring, and 72% of businesses had not identified the steps needed to be GDPR compliant. So there was good awareness that GDPR was coming – but that didn’t follow through to an understanding of what would have to be done. That said, those stats were published five months before the deadline, so there was still plenty of time.
Organisations will have dealt with the challenge of GDPR alignment in ways very subjective to their business, and apart from sending out those ubiquitous consent emails, work will have taken place behind closed doors, so who is to say if business did enough – or in some cases much at all. Then another unknown factor is the true consequences for a business found to be in breach of GDPR. That’s not yet played out, so we shall see.
But what is known, is that those potential consequences of breaches could be serious. First, there is the new Article 29 obligation to notify the subjects affected by any data breaches. In an insurance context that is likely to mean your customers, and once they’ve been notified it seems likely that the matter would become public knowledge, resulting in some negative, and damaging PR for a business.
Then there are the fines. Much publicised, these have been set high, with minor offences carrying a penalty of up to 10,000,000 EUR or 2% of turnover – whichever is higher – and for major offences it is up to 20,000,000 EUR, or 4%. And while it is not yet known how firmly they will be enforced, we can probably expect at least a couple of ‘top end’ fines to be handed down, by way of a statement.
And compensation is now potentially payable too, with any person suffering as a result of an infringement of GDPR having the right to receive recompense for damage suffered.
Much is left to be seen, about how well business equipped itself for the change in May, and then how businesses found to be in breach will be treated. And although GDPR messages don’t drop into your inbox every day any more, it’s still very much a live issue. If businesses aren’t sure they did enough, don’t wait for a rainy day, I’d recommend a review of what action was taken, how confident it has left you, and what options are out there on the market to give you some protection.
Aidan McGrath is the Claims Operations Manager at DAS Ireland