With the directive coming into force on 25 May next year, organizations need to prepare now if they are not to be in breach of the regulations.
In just nine months, a two-tier sanctions regime will be enforced with breaches of the law leading to hefty fines of up to €20 million (or 4% of global annual turnover) being levied by data watchdogs. But to focus on potential fines is to miss the point: what is more important is that implementation of the GDPR will give compliant businesses a real competitive advantage.
Research suggests up to 61% of businesses have yet to wake up to the reality that Brexit or not, GDPR requirements are not going to go away. The clock is ticking for organizations to act on what Information Commissioner Elizabeth Denham describes as "the biggest change in data protection law for a generation."
She says, "If your organization can't demonstrate that good data protection is a cornerstone of your business policy and practices, you're leaving your organization open to enforcement action that can damage both public reputation and bank balance. But there's a carrot here as well as a stick: get data protection right, and you can see a real business benefit."
The Information Commissioner's Office (ICO) is the UK's independent body set up to uphold information rights. Its work is to ensure data protection law is respected and while they will impose fines to achieve that goal, it is not their purpose. The big question is how your organization would measure up if the ICO was to conduct an audit or advisory visit.