In May 2018, the much-discussed General Data Protection Regulation (GDPR) will come into force. In an increasingly data-driven world, the GDPR aims to consolidate privacy regulations and give individuals greater control over how their personal information is used; ensuring their privacy and safety is preserved.
We spoke to Geoff Smith, Managing Director of Experis Europe, about the ways in which this could impact organisations – and their workforce.
What is the GDPR and why is it coming into force?
The current EU data protection law was introduced in 1995 and, since its introduction, each EU member state has taken a different approach to interpreting and implementing the law. This has created significant compliance difficulties for businesses. Additionally, as technology has become much more sophisticated, the ways in which individuals and organisations communicate and share information are radically different today than when the current law was created.
For these reasons, the EU’s legislative bodies have agreed on an updated and more harmonised data protection law – the General Data Protection Regulation (GDPR). This will strengthen the rights of the individual, extend the territorial scope, increase compliance obligations, and expand regulator enforcement powers.
What are the key changes that are coming into force under the GDPR?
The GDPR aims to put people in control of their personal information, so it will be more important to get someone’s consent to use their data. When consent is given by an individual, it must be affirmative, unambiguous, verifiable, freely given and retractable. This means a specific action must be made (pre-ticked boxes won’t count); the individual must know exactly what they are consenting to; it cannot be given based on an imbalance of power; they must be able to easily withdraw consent at any time; and a full audit trail of how and when consent was gained must be kept.
On top of this, organisations must report notifiable data breaches to the Information Commissioner’s Office within 72 hours of becoming aware of the violation. Individuals will be able to make claims against organisations who misuse their personal data. Organisations must be able to provide people with a record of all the data they hold on them.
And businesses that process personal data on a large scale as part of their core business will be required to appoint a Data Protection Officer.
What are the implications if my business doesn’t comply with the GDPR?
Failure to comply with the GDPR will have significant ramifications. Under this new legislation, businesses could be fined up to 4% of their annual global turnover or €20 million (whichever is greater).
As well as financial implications, recent high-profile security breaches have demonstrated the consumer backlash that can occur when the data of individuals is mismanaged. And under the GDPR, companies will be expected to meet even stricter guidelines on how they acquire, use and manage data. Fail to comply and companies may be in danger of substantial reputational damage – which can have a knock-on effect on business results.
As a result, the pressure is on for organisations to get their data practices in order, to ensure they comply.
What does this mean from an organisational perspective?
The GDPR will affect every function in your business, because it affects every single individual your organisation interacts with.
Prior to the introduction of the GDPR, many business functions will not have had to consider data protection in their day-to-day work. This will shift dramatically from May 2018 onwards. This means there is likely to be a significant requirement for training, to ensure that employees understand the implications for themselves and the business. All workers will need to be trained on how personal data should – and shouldn’t – be acquired, stored, accessed, shared and managed going forward, so they can ensure they comply in their day-to-day role.
Awareness and communication are vital. Across the entire workforce, people need to be aware that the law is changing, what the impacts could be, and of the steps that are required to make their functions compliant. Organisations may find compliance both costly and difficult if they leave their preparations until the last minute.
How can organisations optimise their use of Big Data and IT Security talent in the long-term?
Getting the right workforce blend is the key. It’s likely that many businesses will need to make a significant investment in their Big Data and IT Security processes, to ensure their systems and processes are compliant. This may mean bringing in additional resource who possess these in-demand skills – to strengthen the company’s core tech capabilities for the long-term.
However, recruiting new talent is just one piece of the puzzle. It’s also critical that organisations provide the existing workforce with training and development opportunities. This will make sure organisations can retain their top talent, and that they continue to have the necessary tools and skills to support shifting business requirements.
Employers shouldn’t overlook the value of expert contractors either. With the fast changes in technology and the industry, hiring contractors who can transfer their skills and knowledge and upskill the existing workforce can be very beneficial. They can also bring in fresh perspectives and new ideas, to the benefit of your wider organisation.
Many organisations have already begun to prepare themselves for the new legislation, but there is no doubt that it will be a lengthy procedure. No matter how far along you are in the process, Experis is equipped to support your organisation.
To find out more, visit experis.co.uk
This article first appeared in the seventh edition of The Human Age Newspaper.