Phil Beckett, MD, Disputes and Investigations at Alvarez and Marsal

In May 2018, the way businesses handle consumer data will change irrevocably for the better. No longer will they be able to harbour consumers’ personal data ‘just because…’ – finally they will be held accountable for not only how they use it, but how they look after it too.

The General Data Protection Regulation (GDPR) comes in May 25th 2018, and it can’t come quickly enough. It’s the long awaited updates to the Data Protection Directive from 1995 – something which pre-dated the way that we use technology now. The new mandate is to strengthen and unify data protection across Europe – giving consumers control of their data.

These new requirements will force firms to conform by making their digital assets secure or, at the very least, achieve a baseline of security, thereby forcing them to keep data in one, secure place.
But why is this legislation so important? Because any company headquartered in the UK or Europe, or trading with any country in the EU jurisdiction needs to comply. Basically, if you have a presence here, you need to know the rules. It is imperative that businesses begin to pay attention and prepare for the regulations, or risk facing huge fines by failing to conform.

The big change is the new 72-hour breach notification period for every company (previously only financial services had to comply with this timeframe) which was previously non-existent in the EU, as well as potential fines of up to four per cent of annual worldwide turnover or EUR €20 million, whichever is higher for the very worst offences.

In addition, many firms will need to appoint a Data Protection Officer (DPO), who will ensure compliance with data protection laws on behalf of the business. This role can be an employee or by an external consultant, but the good news is, it is currently not mandatory to appoint a DPO. Having said that, the decision should not be taken lightly so businesses need to think about the scale of the data they hold and how compliance will be ensured across the firm. If a business is found to have failed in its responsibilities around the appointment and support of a DPO, it may face fines up to a half of the maximum fines.

Essentially, the new regulations are a way to enforce what firms should already be doing by way of best practice. No magical solutions are needed here: data carries a significant value to many people, plus data privacy is seen as a fundamental human right under European law and thus should be rightfully protected at all costs.

In my view, if businesses had taken proper care of consumer data in the first place, and not misused it for commercial gain, we would not be in this situation. But we are, so now it’s about ensuring businesses change their mindset to fully comply from May next year.

What you need to know to be compliant

There are three key elements of cybersecurity measures that should be considered as a minimum to align organisations with GDPR regulations. These elements include:

1. Development and implementation of a thorough data governance strategy. This includes ensuring C-suite and board-level buy-in, and creating an information security framework which defends against current threats;
2. Employment of a fully developed information security and disaster recovery framework, complete with policies and procedures (including a breach reporting plan), to detect and respond to incidents; and
3. The integration of GDPR or data-management experts. These people must be in place to advise and address the current landscape so the board and C-suite are fully aware of the risk level and can therefore make informed decisions. This would cover commercial and general threats to the firm and the industry as a whole.

For the majority, GDPR will mean an overhaul in how data is collected, stored and utilised. With the right to be forgotten increasingly implemented, firms need to know where they’re storing their data and how they’re using it, so they can respond to consumer requests efficiently and calmly. Failure to comply with the GDPR will be catastrophic – both financially and reputationally, so it’s time to get ready and make data the priority it should be.