Are businesses truly aware of the effects of GDPR?

James Gare, Monahans

Chartered accountants and business advisors Monahans is warning businesses to get ahead of the data regulation changes coming into force next year in order to avoid fines of up to €20 million.

GDPR – General Data Protection Regulations – replaces the existing Data Protection Act from 25 May 2018.

The new legislation governs how companies use the information they have on their customers and subscribers and covers all forms of digital marketing across Europe.

It gives individuals new ‘rights’ and powers, and not complying can result in fines up to 2% of an organisation’s annual income. If a business suffers a data breach, the resulting fines can increase to 4% or even €20 million.

Regulations will be coming into force tightening restrictions on consent, data breaches and notification, individuals’ rights to access the information held on them – and for it to be erased should they wish.

Those businesses which collect and hold personal data will also need to abide by rules concerning how they design their systems to ensure privacy and security, as well as enabling data to be able to be reused by the individual should they wish.

James Gare, Partner at Monahans said: “People have probably heard the phrase GDPR more and more over the last couple of months, but many businesses don’t realise if and how it applies to them.  In our role as Business Advisors, we keep our clients up-to-date with these types of legislative changes to avoid breaking the law and the resulting financial implications.

“These changes may seem fairly innocuous on first glance, however processes you currently use or have used in the past could immediately put you in breach of the legislation come May.

“At the minimum you should be mapping out how information is held within your organisation. This includes trying to understand what information may not be adequately controlled and that any data obtained through a third party has been lawfully obtained.  If you’re not 100% sure about this, then you must delete this data.  For information you’ve directly obtained, it will be necessary to refresh existing consents if they do not meet GDPR standards.

“I’d advise people to prioritise taking the time now to review your procedures and even map out what would happen should requests to receive or delete personal data under the new GDPR legislation be received.  By May next year, these must be firmly in place so it’s never too early to start.”