If you're a business that collects personal data, you have an important new deadline to meet: the EU's General Data Protection Regulation (GDPR) comes into force on 25 May 2018 with the aim of harmonising data protection across Europe. And it's going to apply to you.

GDPR will set stringent new standards for the ways that businesses store, process and protect customer and employee data. “This doesn't just apply to technology companies,” says Tom Thackray, Innovation Director of the CBI. “You might be a B&B or a local shop — but if you collect customer data, you'll have to comply with the new regulations.” The kind of personal data you hold will depend on the type of business you are; but it can include everything from names, ages and postal addresses to online identifiers such as IP addresses.


Penalties for non-compliance


This urgent message about GDPR is getting through, says Thackray; although any company that has stuck its head in the sand over the issue is advised to extract it quickly, because businesses that don't comply with the new regulations by the May deadline risk incurring a fine. “Penalties can be as much as four per cent of global turnover,” says Thackray. “But, also, there's a reputation issue at stake if companies don't comply, because we've all seen the news headlines about data breaches and the impact they can have on customer trust.” The public likes transparency.

The new rules mean that businesses will have to ensure good systems data governance; and that means in some specific cases appointing or identifying a Data Protection Officer who is responsible for driving data protection policy within an organisation. Then there are stricter transparency requirements: businesses will have to be more open about why they are holding information about their customers and what they are using it for. The new rules will also ensure that data erasure — or 'the right to be forgotten' — can be put into practice. “Customers will be able to tell a business to remove or delete their personal data from their records,” says Thackray.


Preparing for the new regulations


To get ready for this new landscape, businesses first have to understand the personal data they are currently holding and examine how it will be affected by the new regulations. They also need to reevaluate their business relationships to ensure that any third parties they pass data onto are GDPR-compliant; plus they should educate their staff to process data in a compliant way, which may involve training.

They might incur costs in order to do this, of course. So what's been the response from the business community? “On the whole, the companies we've spoken to have recognised that the previous data protection rules — devised in 1998 — were applicable to a time before the explosion of data usage in the world economy,” says Thackray. “I think they see the wisdom of implementing an updated legal framework that outlines their requirements for processing personal data in today's world.”


Personal data processing post-Brexit


If you think these EU regulations won't apply to UK companies after Brexit, you'd be wrong. The UK legislation which will bring GDPR into force — the Data Protection Bill — has already been laid before Parliament. And anyway, GDPR has extraterritorial applications, which means that wherever in the world your business is based you'll need to be compliant with European regulations if you process personal data from the EU.

However, stresses Thackray, there is a Brexit element to all of this: a good Brexit data deal is vital to ensure that personal information will continue to flow across borders after the UK leaves the EU. “Currently, if a B&B in the UK wants to take a booking from a person in Spain, the transfer of their personal data is permissible because we are members of the single market,” he says. “The challenge for the UK Government now is to ensure that cross-border personal data transfer becomes a crucial part of the Brexit negotiations, or else this could cause real problems for British business in the future.”