If you have been paying attention, it is likely that you will have heard murmurs about the upcoming changes to the way that personal data will be protected in Britain. You may even have heard us outline some of these changes ourselves in our blog ‘How will the changes brought in by GDPR affect your business?’. For almost 20 years, we have relied on the Data Protection Act to be our sole regulatory legislation for the responsible processing of personal information. On the 25th May 2018, this will change.
The EU’s General Data Protection Regulation (GDPR) is a set of compliance regulations that organisations and businesses will be obligated to adhere to. When processing data, these robust, much stricter set of rules will be the benchmark for companies to meet, in order to avoid the fines that incompetence, and ignorance, will claim. Despite the huge changes that GDPR is promising for UK businesses, there still seems to be a certain amount of unawareness across the country, no more so than in the Legal Sector.
GDPR is being advertised https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/ and http://www.eugdpr.org but although there is a lot of talking, there appears in many areas to be little action. The Legal Sector is especially culpable. In our experience, even some of the most renowned and revered firms in the industry have little to no security procedures in place to protect the invaluable data they hold.
We have seen time and time again the sheer enormity of the risk they are taking, and have attempted always to advise them accordingly. Whereas these firms may simply have been risking a dent to their reputation should there have been a leak or breach before though, now they risk a fine that could prove devastating to the business.
Under GDPR regulations, an organsiation that is in breach could be fined as much as 4% of their annual global turnover, or €20 million depending on which is greater. This would be for the most serious infringements, which include evidence that the company does not have sufficient customer consent to process data, and proof that there has been a breach of valuable data due to there being insufficient strategies in place. The lower end of the scale would see companies fined 2% for simply not having their records in order, or failing to notify the relevant authorities of a breach. Slightly less severe perhaps, but still a potentially significant fee.
Perhaps one of the most important factors to remember is that the rules will apply to both ‘controllers’ and ‘processors’ in a data storage relationship. This means that cloud will not be exempt, and that companies can’t simply hide behind their supplier. The simple way to avoid this? Make sure you know exactly where your cloud storage company is situating their servers, and how well they are protecting them. Any doubts at all, then don’t trust them. We can always help point you in the direction of reliable suppliers.
Of course, as well as being potentially liable for damages if a breach does occur, GDPR could also prove an incredible marketing opportunity for the Legal Sector. A publicised increase in digital security measures, as well as a review of the internal processes for handling information, will show potential and current clients just how seriously the firm takes the ever-growing risk of data storage. Customers and businesses are attuned to the buzz around digital security, thanks to the plethora of major hacking scandals splattered across the news, and will react positively to an obvious commitment to safety.
The GDPR changes are coming, regardless of whether UK businesses are ready for them or not. For law firms, this could not only mean a huge dent to their reputation, and reduction in their client base, but also a sizeable fine that could cause irreparable damage if at its maximum. It seems a big price to pay for something that can be so easily avoided. Speak to Digital Pathways today and make the changes necessary to ensure your company meets GDPR requirements and can be judged on its virtues, rather than its mistakes.