Risk managers should prepare now for new EU data protection legislation that will come into force next year, Airmic and law firm BLM have urged. The new regulations are more demanding than current rules and can result in much larger fines. Risk managers are being warned that the changes could take time to implement.
The General Data Protection Regulations (GDPR), approved by the European Parliament last year, will automatically become law in EU countries in June 2018. The regulations aim to clarify and increase the responsibilities of organizations for the personal data that they handle and store and also introduce mandatory breach reporting and much tougher penalties for those who do not comply.
A joint report by Airmic and BLM, ‘The EU General Data Protection Regulations: What risk managers need to know’, says that UK businesses will be affected regardless of Britain’s decision to leave the EU. Nick Gibbons, partner at BLM and one of the authors of the report, said: “The Information Commissioner’s Office has recently confirmed that GDPR will come into force and become part of UK law before the UK leaves the EU so the Brexit debate should not delay any action.”
Gibbons said that although there is good awareness about the GDPR, the full extent of the changes have yet to be appreciated. “There has been significant interest in GDPR amongst risk managers; however, many do not yet appear to have a clear understanding of current data protection law, let alone the particular changes to it that will be wrought by the new regulations.”
The report makes clear that complying with the GDPR cannot be sole responsibility of the IT team but must be treated as an issue for risk managers to address and control. “Information security is an organization-wide risk which necessitates physical and organizational as well as technical security measures,” states the report. “In circumstances in which potentially crippling fines may be imposed for breaches, information security must be managed by an organization’s risk manager and his/her team and cannot simply be left to the IT team to deal with.”
The report outlines the key changes that will come into force and provides detail on what risk managers should be doing now to ensure their businesses are ready for the new law. In particular, risk managers are urged to:
- Review current data-processing activities;
- Perform impact assessments to establish whether there is a risk of infringement of the GDPR;
- Establish necessary policies and processes to meet all GDPR requirements (e.g. security, complaints handling, data accuracy, breach reporting, etc.);
- Update current policies regarding personal data and make the necessary changes to business operations.
Gibbons believes that careful planning will be key to a smooth transition. “The most important thing for risk managers to do right now is to create a plan and a budget for compliance by June 2018. There is a lot to do and identifying how much financial and human resource will be needed is important.”
The report can be obtained here.