(London, UK): Since the European Parliament adopted a new standard to improve data protection for individuals within the European Union (EU) in April 2016, firms have faced massive fines for non-compliance. In the UK alone, the fines doubled year on year. Bring on May 2018 and a new set of standards set by the General Data Protection Regulation (GDPR) which aim to provide predictability and efficiency for organisations and offer all EU residents increased data protection rights.
The potential fines for non-compliance are unprecedented: Fines range between €10 million (£7.9 million) or 2 percent of an organisation’s global turnover (whichever is greater) up to €20 million or 4 percent of turnover (whichever is greater). For many businesses, fines could result in severe cash flow problems, insolvency or even bankruptcy/closure. The Information Commissioner’s Office (ICO) fines are currently capped at £500,000 which GDPR will override.
GDPR applies not only to EU domestic business, but to worldwide companies targeting goods and services to European citizens. Some of the key requirements include: increased rights for data subjects, the development of security-first software, encryption of personal data, secure data processing and a 72-hour notification for data breaches containing personal data. The UK Government have confirmed that Brexit will have no impact on the adoption of GDPR.
But many organisations are not yet ready, according to a recent poll one in three of all businesses in the UK are not familiar with GDPR. Many also believe that the regulation does not apply to their business. At Auriemma’s latest slate of Industry Roundtables, anxiety was expressed about the amount of work remaining to be ready by the deadline. Some of the most widely talked about components of GDPR compliance at the recent Auriemma events include:
- Increased rights for data subjects (i.e., the right to “be forgotten” and data portability)
- Software to be developed with security in mind (privacy by design and by default)
- Pseudonymisation or encryption of personal data (privacy by design and by default)
- Secure processing of data
- 72-hour notification for breaches of personal data
To account for these changes, most organisations will have to fundamentally change the way they manage and protect data. A shift of this size will need buy-in from the board level and firms should be endeavouring to make sure all employees are aware of the requirements.
To help financial service firms best navigate the GDPR and PSD2 landscape, Auriemma will be holding a UK regulatory Roundtable in London on the 26th January.
We are fast approaching the end of two-year adoption period and 25th May 2018 is when the ICO expect all to be GDPR ready. Organisations should be adjusting their policies, internal and external procedures for data security breaches and considering the new rights of the EU citizens. It will be necessary for all to analyse its current privacy policies, security measures, and underlying operational processes. Firms will also need to identify areas for which process improvements and redesigns are required to ensure compliance with GDPR.
About Auriemma Group
Auriemma is a boutique management consulting firm with specialized focus on the Payments and Lending space. We deliver actionable solutions and insights that add value to our clients’ business activities across a broad set of industry topics and disciplines. Founded in 1984, Auriemma has grown from a one-man shop to a nearly 50-person firm with offices in New York and London. For more information, contact Louis Stevens at +44.(0) 207.629.0075.