Unless you have been living under a rock, you can’t have failed to notice that the GDPR (General Data Protection Regulation) is coming into effect on May 25.  GDPR has been described as “the biggest overhaul of online privacy since the birth of the internet”, according to the Guardian newspaper.

Jamie Kerr, head of external affairs at the Institute of Directors (IoD), says: “GDPR has been a long time coming for businesses, but it is only proving more formidable as the deadline looms and companies drill down into the detail. The regulator has assured small businesses that there will be not be a sudden inquisition once the rules enter into effect, but with such large penalties for non-compliance, firms must assess what they have to do to avoid falling foul of the legislation, and they must do so soon.

“While the regulations may be burdensome, the overriding impulse amongst company directors now is simply to follow the rules. However, SMEs, who are facing a whole host of competing priorities and generally cannot rely upon dedicated compliance teams, are still finding it difficult to digest the sheer scale of the legal changes.

“The government’s immediate priority should be to ensure the Information Commissioner’s Office (ICO) has the resources it needs to make a big final push to assist small businesses in the run up to this month’s deadline”.

Only 6 in 10 company directors say they are confident their organisation will be ‘fully compliant’ with new data protection laws set to come in later this month, a new survey from the Institute of Directors reveals. The poll of 700 bosses shows many businesses remain unprepared for the changes with just under two weeks to go until GDPR comes into force.

Business leaders’ confidence in their preparations has declined over the past six months as the sheer scale of the regulations has come into view. Many business leaders are also less sure about how the new rules will affect their firms, with around 40% reporting they are not confident or unsure as to how GDPR will impact their company.

So what is GDPR?

It is designed to give all European citizens the right to know what data is stored on them and to have it deleted, plus protect them from privacy and data breaches. Is GDPR all that it’s cracked up to be?

Nicola Howell, senior compliance & privacy attorney for Dun & Bradstreet says: “GDPR should be seen as evolution not revolution. We have had data protection laws for the past 20 years and many of the concepts found in the current legislation, have moved over into the GDPR. So the concepts of data controller, data processor, data subject are all the same. The grounds of processing all seem to remain untouched as well, they have subject rights which seem to have been expanded.

“So, [it would be fair to say], GDPR hasn’t ‘ripped up the rule book’. The knowledge an organisation has now, will transfer very well into a GDPR compliance programme. However, what has evolved, is the accountability which needs to be shown with GDPR,” says Howell.

What are the “need to knows”

“The first thing [a business needs to do] is to deal with the basics. Know which ground your business is processing data under. Know which data rights affect your business. Not all data subject rights are blanket. And certain rights are likely to affect your organisation more than others,” says Howell.

In relation to GDPR, planners and IFAs may be concentrating on the security obligations.

Howell says: “It is very easy to think of organisational measures referring only to security and IT security, however, most data breaches occur around staff and employees, either through maliciously stealing data or accidentally leaving it on trains. So it is important that organisational measures are put in place and staff are trained.”

Sabuhi Gard is an investment writer for Incisive Works.

Further reading on this topic:

GDPR and financial advice: Lawful processing