Eight in 10 East Midlands firms have no response plan for data breach, finds Grant Thornton

Chris Frostwick, partner and practice leader of Grant Thornton UK LLP’s East Midlands regional office
With less than six months to go until new EU laws on personal data protection come into effect in the UK, eight out of ten East Midlands firms are putting themselves at risk of heavy fines, says a new poll from financial and business advisers, Grant Thornton.
 
From 25 May 2018, all organisations processing personal data of individuals in the UK or EU will need to meet the new General Data Protection Regulation (GDPR) which has been introduced to give people greater control over their personal data and how it is used.
 
The EU allowed a two-year transition period for businesses to comply with the GDPR and whilst all local senior managers questioned in a recent poll say they are familiar with GDPR, 80% of them have no contingency plans in place should a data breach happen.
 
Any organisation found to contravene the new regulations after the May 2018 deadline could be subject to a financial penalty. The level of fine will depend on the nature of the infringement but for larger businesses, it could be as much as four percent of global turnover or €20 million – whichever is higher.
 
Chris Frostwick, practice leader of Grant Thornton’s East Midlands office in Leicester, explains: “The new GDPR regulations have far reaching implications for all organisations who hold personal data of EU citizens and with the introduction date fast approaching, it is concerning that around a fifth of businesses have taken no steps to prepare, and four fifths have no plans in place to deal with data breaches. 
 
“Over the last 20 years, the Data Protection Act (DPA) has been the foundation for protecting privacy in the UK. However, this pre-dated social media, cloud computing and geolocation services and the laws needed updating to address modern privacy concerns.
 
“The new GDPR aims to do just that by increasing organisations’ accountability for all aspects of data protection from the collation of personal data to its disposal. It is vital for businesses to ensure they are up to speed with the new legislation requirements and ready to comply by May 2018 or they could face a hefty fine – and damage to their reputation.”
 
Amongst the legal requirements outlined by the GDPR, organisations will need to:
  • Be able to prove clear, freely given consent from every individual to process their data. Silence or inactivity no longer constitutes consent. 
  • Many organisations, including local authorities, schools and companies who monitor individuals on a consistent and large scale, will be required to appoint an appropriately experienced, independent Data Protection Officer (DPO). They cannot hold a conflicting role such as CEO, CFO or head of IT.
  • Conduct Privacy Impact Assessments (PIAs) to identify where privacy breach risks are high, particularly with new projects
  • Report significant data breaches to regulators within 72 hours
  • Observe ‘the right to be forgotten’, in all procedures. Organisations should not hold data longer than absolutely necessary or use data for a different purpose other than it was originally collected for.
  • Design data protection into all new business processes and systems.
 
Following Brexit, organisations in the UK who process data of individuals in the EU will still need to be compliant with the GDPR. It is also anticipated that UK data protection laws will remain broadly in line with the GDPR.
 
“All organisations need to fully understand how the GDPR affects them,” adds Chris. “This includes assessing current processes and establishing which business areas will be impacted and how.
“By May 2018 every business should be able to evidence they are GDPR ready for both internal audit and regulators; show that risks to personal data have been understood and embedded in the organisation; have new or updated, fully operational data protection policies, procedures and controls in place; and be able to produce governance documentation for inspection.
 
“All this requires business-wide awareness and what may be a steep learning curve for many management teams so professional advice can be prove invaluable.
 
“With personal privacy high on the public agenda, and rightly so, it’s just not worth the financial or reputational risk of leaving anything to chance.”