The EU General Data Protection Regulation (GDPR) comes into effect on 25 May 2018. The GDPR is a total overhaul of EU data protection law and will be implemented by the UK despite the Brexit vote.  With fines of up to 4% of annual global turnover or EUR20 million (whichever is higher) for non-compliance, coupled with the negative PR associated with mistreatment of client/customer data, the GDPR and data protection are now boardroom issues.

The GDPR is extremely broad in scope – it applies to any organisation offering goods or services to data subjects in the EU or monitoring their behaviour (to the extent that it takes place within the EU). Companies with only minimal data on EU subjects still have to comply with the GDPR in the same way as those that hold and manage data on thousands of individuals, creating a potentially onerous compliance burden for all organisations caught by the GDPR.

What do companies need to do?

Organisations have until 25 May 2018 not only to comply with the GDPR, but also to be able to demonstrate compliance to the regulator i.e. prove you have verifiable systems and processes in place to manage data.

At a minimum, organisations caught by the GDPR need to:

• commit to developing a GDPR compliance programme and define, with senior management, your data privacy governance structure
• determine whether you need to appoint a data protection officer (DPO) who will be responsible for personal data
• map your data – where it’s held, how it’s collected, used and where it’s transferred
• review current policies and practices, terms and conditions and agreements
• review data security measures and how you will deal with and report a breach
• determine how to ensure ongoing and demonstrable compliance, including use of Data Protection Impact Assessments (DPIAs).

For organisations with a lot of data and little idea how it is used across the business, this is a substantial task.