Published on Jun 24, 2021
The General Data Protection Regulation (GDPR) has significantly impacted business operations since it came into force. Organisations have a clearer understanding of what personal data they hold, how it is used, and who has access to it. Privacy management has become a core function led by a dedicated Data Protection Officer (DPO) who reports to the board and whose role is to monitor compliance.
Requirements to notify the relevant supervisory authority within 72 hours of detecting a data breach where there is a risk of harm encourage proactive preventative measures and ensure accountability. Meanwhile, transparency around information handling practices increase trust, shorten sales cycles, and add value to the brand.
The GDPR came into force on 25 May 2018. At the time, it applied to all 28 EU Member States, including the UK. Then on 1 January 2021, the UK left the EU, and transposed most of the GDPR into domestic law. While the GDPR and the Data Protection Act 2018 have been part of the regulatory landscape for over three years, many businesses are still unsure of their compliance responsibilities, particularly after Brexit. Recent research reported in Infosecurity Magazine conducted by CrowdStrike confirms this:
Following Brexit, there are now two versions of the GDPR. The UK version, known as the UK GDPR, and the EU GDPR, which applies in the European Union. For businesses operating in the UK dealing with UK or EU personal data, this means the UK GDPR applies, and vice versa. However, while it is true to say that companies have broadly the same obligations, an additional layer of complexity now exists:
Now that we've cleared up the impact of Brexit, we can turn our attention to how the GDPR affects businesses generally.
There are several ways GDPR impacts businesses and we've grouped them into four categories; responsibilities, penalties, reputation, and opportunities.
Let us examine these in-depth:
The GDPR requires businesses to comply with many responsibilities, including:
The above is only a selection of GDPR responsibilities, to achieve compliance, you will need to regularly:
A breach under the GDPR is a serious offence for which the maximum financial penalties can be severe. Fines are divided into two levels:
Note: The UK GDPR maximum fine amounts were converted from euros to pound sterling after Brexit, which is why they appear lower than €20/€10 million, which you may have read elsewhere - they can be found under section 157 DPA Keeling schedule.
Having two levels of fines forces controllers and processors to put policies and procedures in place to ensure compliance is achieved. It also provides an incentive for businesses to review and update their privacy and data protection framework regularly. This approach discourages large corporations, or any business for that matter, from simply ignoring GDPR compliance and paying a fine in the event of a significant data breach.
Not all GDPR infringements result in a fine. Data Protection Authorities such as the ICO have several alternative actions they can choose instead; these include:
The fallout from a data breach is not only financial, organisations can also suffer reputational damage. However, looking at the impact on share prices for several publicly listed companies following a high-profile data breach, heavy share price falls appear to be temporary. This is partly down to how well organisations handle their incident response and also down to investor fatigue.
More significantly, organisations can face long-term consequences from the loss of customers and sales. A 2019 study showed that 44% of UK consumers claim they will stop spending with a business for several months in the immediate aftermath of a security breach, and 41% of consumers claim they will never return to a business post-breach. Furthermore, reputational damage from data breaches can hinder a business from being able to attract and retain the best talent. Employees want to work for ethical companies and have shown they are now willing to protest to bring about policy changes.
For all the negative press about potential fines and the increase in compliance obligations, the GDPR presents many opportunities for proactive companies. Implementing a privacy framework for GDPR compliance requires organisations to examine what personal data they have, how it is used, who has access to it, on what systems, where it is stored, how it is secured, and how long it is retained.
The introspective nature of this analysis can often lead to operational efficiency improvements that would otherwise never take place. Putting effective GDPR compliant policies and procedures in place illustrates not only where processes can be streamlined but how good governance can be implemented to improve data quality and cut out duplication.
Customers and highly skilled employees are attracted to companies that take their privacy and data protection seriously. The GDPR provides organisations with an opportunity to develop trust and confidence with customers and service users, employees, and other stakeholders.
If you need further evidence that robust GDPR compliance is good for business, a 2021 study showed organisations with mature privacy practices are getting higher business benefits than average and can swiftly handle new and evolving worldwide privacy regulations. Furthermore, 35% of companies reported they received benefits at least two times greater than their investment in privacy and data protection compliance - that’s £2 back for every £1 invested.
Discover more about data protection and privacy law training, please email us at contact@freevacy.com or call 0370 04 27701.
Freevacy has been shortlisted in the Best Educator category. The PICCASO Privacy Awards recognise the people making an outstanding contribution to this dynamic and fast-growing sector.
