GDPR: what’s the worst that can happen?

With the GDPR deadline looming, we explain what could happen if your business isn’t ready for this change.

Friday, Jan 26, 2018
2 min read

The General Data Protection Regulation (GDPR) is something that all businesses should be aware of. The new legislation will come into effect on 25 May 2018 and will update current data protection laws.

As a result, this upcoming change in the law is likely to have an impact on the way you run your business and manage your staff. And it’s not something that you can just ignore and hope that it’ll go away. It won’t.

Even worse, the implications of not preparing for this new regulation could see your business get a massive fine.

Is there a fine for non-compliant businesses?

There are large penalties for any companies that do not comply with GDPR regulations. The maximum penalty you can face is either €20 million or 4% of your annual turnover, whichever is greater.

The Information Commissioner’s Office (ICO) can apply a fine to your business for a number of reasons. These include:

  • If you don’t appoint a Data Protection Officer (DPO) where appropriate.
  • If you don’t get someone’s consent to process their personal data.
  • If there’s a security breach at your company and you don’t notify the ICO or the people it impacts.
  • If you don’t maintain records of the personal data that you’ve received.  

The maximum penalty is much larger than the £500,000 limit the ICO can currently give out for non-compliance with the DPA.

With that said, Elizabeth Denham, the UK Information Commissioner, states that the ICO will be more lenient on companies that are aware of GDPR and try to implement it, in comparison to those that don’t.

How can my business avoid a fine?

You might think that you’ve got plenty of time before the 25th May 2018 to prepare for GDPR. But it’ll come round much sooner than you think.

The first thing you should do is make sure the people you work with know that the law is changing.

You can then start to prepare by doing the following:

  • Put together a register of the personal details you hold, where it came from and who you share it with.
  • Go through your current privacy notices and plan to change them in time for GDPR.
  • Review the process for how you get, record and manage consent and whether you need to change it.
  • Check your procedures to make sure they cover all people’s rights. This includes how you would delete personal data or provide it securely.
  • Put in a process for how you will handle data requests within the new timescales. Under GDPR, you’ll have to respond to a request without delay and at the latest within one month, rather than 40 calendar days.
  • Think about whether you need a system to identify a person’s age and whether you need consent from a parent or guardian.
  • Come up with an emergency plan in case you lose data or someone steals it.
  • Appoint a responsible person to be your DPO where required.

Are you worried about new legislation changes like GDPR and how it’ll affect your business? With BrightAdvice, get clear and confidential employment law advice over the phone.

To find out more about BrightAdvice or to request a demo, please call us on 0800 783 2806.

Share this article