In an article on the company’s opinion website, Darren Farnden, Head of Marketing at Entanet, points out that the new regulations will mean even small businesses having to spend time and effort focusing on data protection. “Whatever your views on it, it’s about to take up a whole lot more of your time, even if you’re a sole trader.”
The new EU legislation is designed to ‘strengthen consumer protection and enhance trust and confidence in how personal data is used and managed’. It replaces the 1995 Data Protection Directive (from which the Data Protection Act was born) and covers how personal data is gathered, stored, shared, processed and used.
While it is not due to be enforced until 2018, the risk of massive financial penalties being imposed on companies that do not meet the new regulations will force the subject of data protection onto the boardroom agenda. Fines can be as much as four percent of revenues for the most serious breaches.
Farnden explains why there is every reason for smaller businesses in particular to be concerned. “You might consider this scaremongering but the truth is that the fines that’ll be levied for breaches are scary. Operating on a tiered basis, you’ll be asked to cough up two percent of annual global revenue for not having the required records in order, not notifying the supervising authority and data subject (i.e. the person to whom the data relates) about a breach, or not conducting impact assessments. But this rises to four percent of turnover for violations relating to data security and consumer consent. For SMEs, these fines could mean the end of your business, full stop.”
It could be just as devastating for larger firms. If GDPR had been in place last October, when the data of 150,000 of TalkTalk’s customers was compromised, the fine for the breach alone could have amounted to almost £72 million, which is £12 million more than the reported total financial cost and enough to wipe out the company’s £54 million operating profit.
No business will be able to ignore the rules, Farnden points out, as the GDPR broadens the definition of what constitutes the ‘personal data’ of a European citizen to include any information that can directly or indirectly identify an individual. This means that even IP addresses and cookies will be considered as ‘personal’, and therefore subject to the same protections as a person’s name, age, address and bank details.
Farnden says that businesses need to be aware of various specific points of regulation and ensure they are conforming. He also notes that Britain leaving the EU would not necessarily mean that the UK could ignore the new rules, as it might be seen by many companies as an unsafe place in which to hold personal data on European citizens.