Data breaches can be incredibly costly, both for the affected party and for the company at fault, and the costs, for employers, are about to get even greater.
That’s because a major overhaul of information legislation, the General Data Protection Regulation (GDPR) is set to come into effect from next May.
As well as significantly stepping up the protection offered to consumers’ data, the GDPR will also allow for fines of up to £18 million (or a percentage of revenue) for companies which breach the new rules, not to mention the costs of compensation for affected parties.
In the case of two major breaches at Yahoo last year, which affected up to one billion accounts, it is estimated the organisation would have faced $198 million (£155 million) per occurrence had GDPR been in place.
While this is an extreme example, even the smallest of firms need to be prepared for the consequences of GDPR.
Companies will be required to keep a tighter watch of the data they collect, maintain and share.
One of the most important aspects of the legislation is a requirement of businesses to prove they have obtained consent to hold information on their employees, clients or consumers and that they have ‘opted in’ to allow the data to be kept.
Therefore, an audit of current mechanisms for gathering data is prudent and a good starting point for any business in becoming GDPR compliant.
The audit should cover all the information the company holds, where it has come from, how it is used, and with whom it is shared.
Another key step for any company is to assign an individual within the firm to have responsibility for data protection within the business, if one does not already exist.
A robust action plan, built to deal with the aftermath of any data breach, should also be put into place. It will involve telling customers what has happened and reporting the incident to the Information Commissioner’s Office (ICO) within 72 hours, in order to comply with the new legislation.
However, a fine is not inevitable even when breaches do occur, provided the business has established strong systems to manage the associated risks and ensure compliance with the new legislation.
Seeking professional guidance at the earliest opportunity can help start the process of getting ready for GDPR, and avoid potentially hefty fines for non-compliance, ahead of its implementation next May.
Janet Kerrigan is service and development director at Willis Employment Services, a division of Willis Insurance and Risk Management.