Businesses still not prepared for new data protection laws

The Latest government research shows that less than half of UK businesses are ready for new data protection laws, due to be introduced in May 2018.

The changes will be brought in by the EU’s General Data Protection Regulation (GDPR), and will be implemented in UK law through the Data Protection Bill.

The Government says its Data Protection Bill will provide people with the confidence their data will be managed securely and safely and will give the Information Commissioner’s Office (ICO) more power to defend consumer interests and issue higher fines, of up to £17 million or 4 per cent of global turnover, for the most serious data breaches.

According to the survey, businesses in the finance and insurance sectors have the highest awareness of the changes, while the construction industry has emerged as having the lowest awareness, with only one in four aware of the incoming regulation.

The survey found that over a quarter of businesses and charities who had heard of the regulation made changes to their operations ahead of the new laws coming into force. Among those making changes, just under half of businesses, and just over one third of charities, made changes to cyber security practices, including creating or improving cyber security procedures, hiring new staff and installing or updating anti-virus software.

What is involved?

GDPR will require organisations to have appropriate measures in place to protect personal data. This could include:

• Documenting what data the organisation holds.
• Reviewing privacy notices.
• Updating procedures around individual’s rights. For example, how an organisation would delete personal data if asked.
• Planning how to handle subject access requests.
• Reviewing how consent to process data is gained.
• Considering children, and whether age verification or parental consent is required.
• Having procedures in place to detect, report and investigate data breaches.
• Assigning a data protection officer.
• In the wake of recent high-profile data breaches, businesses and charities are being urged to update their cyber security protections. Cyber security measures businesses and charities can take up to help protect their data include:
  • Using strong passwords and software updates
  • Adopting the Cyber Essentials scheme to protect against the most common threats
  • Following cyber security guidance available from the National Cyber Security Centre.

"Reforms put consumers and citizens first"

Information Commissioner Elizabeth Denham said: "Data protection law reforms put consumers and citizens first. People will have greater control over how their data is used and organisations will have to be transparent and account for their actions.
This is a step change in the law; businesses, public bodies and charities need to take steps now to ensure they are ready. Organisations that thrive under the new rules will be those that commit to the spirit of data protection and embed it in their policies, processes and people."

Secretary of State for Digital, Culture, Media and Sport Matt Hancock said: "We are strengthening the UK’s data protection laws to make them fit for the digital age by giving people more control over their own data. Figures show many organisations still need to act to make sure the personal data they hold is secure and they are prepared for our Data Protection Bill."

More information on GDPR on ICO's website