Business costs of adapting to data protection reforms will increase the longer companies wait, says expert

Data protection law specialist Annabelle Richard of Pinsent Masons, the law firm behind Out-Law.com, said businesses should take steps now to prepare for the General Data Protection Regulation (GDPR) taking effect in May 2018 if they have not already done so.

Measures that businesses can take to prepare might include engaging expert advisers to help undertake a compliance gap analysis, provide strategic advice on how to move towards compliance with the GDPR and supporting companies to recruit and train data protection officers, which many organisations will need to appoint under the new framework, Richard said.

"To avoid disrupting the company too much with major last minute changes, and incurring substantial costs in the process, it is vital that businesses operating in the EU take steps now to move towards compliance with the GDPR," Richard said. "Waiting until early 2018 or even late 2017 will be too late."

Richard was commenting after a Lloyd's of London survey (22-page / 2.29MB PDF) found that while almost all businesses have heard of the GDPR, most are unfamiliar with the detail of the reforms.

Lloyd's surveyed 346 senior decision-makers at businesses with revenues of at least €250 million across Europe, including chief executives, chief information officers and chief technology officers, and found that just 7% of respondents said they "know a great deal about the EU GDPR". More than half of respondents (57%) said they either don’t know many or any details of the GDPR.

Cybersecurity expert Kuan Hon of Pinsent Masons said the size of potential financial sanctions for failing to comply with the GDPR should sharpen the focus of businesses and prompt them to prepare for the new regime. She said UK-based businesses cannot afford to ignore GDPR despite the fact the country has voted to leave the EU.

Hon said: "Organisations have less than two years to prepare for GDPR. It is important that they commence their GDPR-readiness programme as soon as possible, given the potentially huge fines that could be levied under GDPR for security breaches, on both data controllers – up to €20m or 4% annual turnover – and data processors – up to €10m or 2% annual turnover. Failure to notify a personal data breach under GDPR alone will expose an organisation to a potential 2%/€10m fine, quite apart from the security breach itself. GDPR is likely to be relevant to UK companies even with Brexit."

Both Richard and Hon said that the new data breach notification obligations that will apply under GDPR, together with stiffer requirements on data security, means that data breaches could have a significant effect on companies' reputations in future.

Richard said: "Businesses should be aware that taking steps to meet their legal obligations, including data security and breach reporting duties, under GDPR, will be insufficient on their own to prepare themselves properly for the risk of cyber attack. The risk is so prevalent that the question is now not if businesses will fall victim to such attacks but when."

"The precise technical security measures that businesses need to implement to comply with the GDPR will depend on their own risk profile and the volume and sensitivity of the personal data they process – there is no fixed standard that applies. Companies must prepare their own cyber incident management and response plans. This will involve establishing internal reporting mechanisms to identify a breach and putting in place a cohort of staff responsible for minimising the impact of those incidents, as well as a communications strategy to control how the incidents are reported and evidence-gathering procedures to help inform any legal proceedings against those liable for the breach," Richard said.

Hon said that many businesses subject to the GDPR will also be subject to broader security and incident reporting obligations under the EU's Network and Information Security Directive, which is also due to become law in EU countries in 2018.

"The NIS Directive will affect many sectors like banking, utilities, transport and healthcare, for multinationals operating in more than one EEA country or if similar laws are enacted in the UK despite Brexit," Hon said. "Its requirements may well be slightly different from GDPR’s. With so much new legislation to prepare for, it would behove organisations to start work sooner rather than later."

According to the Lloyd's of London report, 92% of businesses have experience a cybersecurity breach within the past five years. The report said, though, that less than half of the survey respondents (42%) are concerned their business will fall victim to another breach in future.

"Cyber threats will never go away and will only become more complex as time goes on," the Lloyd's report said. "It is almost impossible to be 100% protected from cyber attacks."