UK biz: Oh (yawn) GDPR? Was that *next* May? – survey UK businesses are risking damaging fines by ignoring the implications of upcoming data protection rules, according to a new survey. A poll of 2,000 businesses by YouGov exposed a significant lack of awareness and urgency among many businesses concerning the General Data Protection Regulation (GDPR), which comes into effect on …
This post has been deleted by its author
It's also going to apply to anyone wanting to do business with, or in, an EU country regardless of where you are based. So whether or not a future UK government "changes it", you'll need to comply if you want to do business in the EU (and if you believe that any penalties under GDPR will be enforceable).
It Law now, and has been for a year, its just not being enforced untill May 2018, and the Brexit process AKA Article 50 doesnt finish untill May 2019.
GDPR in terms of its rights and responsibilities is not so different to DPA, its just that yo need to prove your compliance with GDPR and that of your subcontractors who can be sued jointly or severably (rather than just you taking the can)
The other changes bring in some interveening regulations like the right to be forgotten and data portability
Even post brexit its likley to be kept as the ICO wrote a lot of it. there may be some issues with enforcement thought as ICO dont really have the staff to handle the mount of work involved. (i've heard from reputable sources they need approx 10x the staff and DCMS wont stump up the cash)
On top of all this, we are still waiting for how the national derogations will pan out, so nothing has really changed since may last year, and a lot of things still need ironed out.
But surely it's applicable to every business. If you hold data on a person then you must comply. Every website that uses user profiles (El Reg - are you compliant?) anyone that takes payment in any form other than cash. If you hold my data then I will be able to ask for ALL of the details you have on me and be able to ask for you to delete them, ALL of them, including from backups (if I understand it correctly).
There are going to be some very, very rich lawyers and a lot of businesses going to the wall. Sadly, it'll mostly be small companies that go under. The monliths with get through it all I'm sure (more's the pity).
On the plus side there will be more work for anyone currently involved in the PPI stuff as that fizzles out and a whole new raft of GDPR IT professionals.
GDPR affects every single business, small trader, voluntary organisation, sports club whether you have electronic records or manual records, or whether you are in IT, or just run something as simple as a hairdressers.
Maintain a list of members, or customers, or suppliers, use email and you're pretty much certain to need GDPR compliance. Unlike the DPA where you just had to fill a form in and pay a fee, under GDPR you have to demonstrate you are compliant - documents, policies, training, supplier contracts (eg gmail) and potentially audits - the whole bureaucratic shebang.
That means every single organisation in the UK has to audit and document its data, data policies and have mechanisms for consent management and security in place. If it costs a minimum of 2 days consulting time or equivalent at £400 per day - for the UK's 5.5m+ businesses, that's an implementation cost of at least £4bn. Once it gets better known among haulage companies, and taxi-drivers and the folk who run the football clubs I can see there being the most humongous stink about GDPR - it is a classic bureaucrat's solution with much too much 'you must' instead just leaving it at 'you must not'.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
