Quite apart from the Brexit decision, UK businesses must comply with the EU regulation General Data Protection Regulation when it is implemented in May 2018.
The new legislation will replace the Data Protection Act (DPA) and promises to enforce tougher punishments for businesses that fail to comply with the rules on storing and handling personal data.
Howard Williams, marketing director at Parker Software, said: "Having heard of GDPR is one thing, but actually complying with the regulation is an entirely different game.
"The new rules are designed to give European citizens more control over their personal data, but for organisations that handle data regularly, what they actually need are practical steps to comply with the law."
Businesses have been threatened with fines of up to £18 million for non-compliance, or four per cent of the company’s worldwide annual turnover - whichever figure is higher, according to a report published by business automation expert Parker Software.
- Read more: 5 myths about GDPR and what you need to know
The report outlines five important steps towards GDPR compliance:
1: Talk with the boardroom
While many people are aware of the implications of failing to comply with GDPR, check whether the decision makers and key people in your organisation are aware that the law is changing. You might be surprised because future regulations are often seen as a problem for the future.
GDPR implementation in May 2018 is more than the first day of regulation, it is the date that it becomes legally binding. Those unsure whether the business is taking steps to compliance need to talk to their bosses now. They will thank you in the future.
2: Dig into your data
Data records can be messy, for small and large businesses, where personal data for marketing activity may be held separately to customer service records. And lists of personal data may have been bought from a number of sources, where missing fields in some datasets can cause chaos.
It may seem like a gigantic task, but checking your records is not negotiable, and understanding data that you hold will cost time and resources. You will need to ask where the data came from, who has access to it, and, importantly, do you have the right to hold it?
3: Don’t be afraid of surrender
It may be tempting to deny all knowledge of unlawful information in the face of the mammoth task of organising vast amounts of data. But the risk is not worth taking. In the end, GDPR is designed to protect personal data. And there are several schemes in place to help, so ask for assistance before it is too late.
4. Make changes now
If your data collection doesn't meet GDPR regulations, you need to change now. The law will not be implemented until May 2018, but there is no benefit in waiting. Changing your procedures now will mean all new data you receive will be compliant, giving you until May 2018 to make sure your existing data is up to scratch. Failing to act now won’t avoid the issue, but it will leave you with a colossal job to start in May.
Businesses need to become familiar with the Information Commissioner’ s code of practice on Privacy Impact Assessments. Firms also need the latest guidance from the Article 29 Working Part, on how to implement changes.
5. Employ an expert
Some companies will need to appoint a data protection officer to ensure GDPR compliance. According to the law, an official data protection officer is only needed when the data is held by a public authority, or if the organisation is regularly monitoring data on a large scale. The only exception is when companies manage data related to ‘sensitive’ categories, such as criminal convictions or offences.
The new job does not have to be a data protection officer - just a dedicated member of staff who makes sure the firm is working within the rules. If hiring new staff is beyond the budget, invest in training for existing staff.
If you’re interested in GDPR, don't miss C&IT’s special GDPR roadmap series of events that is kicking off in March.