GDPR readiness in the spotlight

Author: Olly Jackson | Published: 20 Dec 2017
Email a friend

Please enter a maximum of 5 recipients. Use ; to separate more than one email address.

By Olly Jackson, EMEA reporter

The General Data Protection Regulation (GDPR) may not be as punitive as some suggest but businesses need to spend big to comply, particularly if they were one step behind the previous regulations.

GDPR will come into effect in May 2018 and aims to harmonise data protection rules across Europe. Some changes have attracted a lot of attention: the huge potential increase in fines, which could be as high as €20 million ($23.6 million) or four percent of the company’s annual global turnover; the right to be forgotten and the new legal requirement to report data breaches within 72 hours.

These changes appear to be taking businesses by surprise. In a YouGov poll in May, 71% of UK companies surveyed said they were unaware of the fines enforced under the GDPR, and 40% admitted they would have to cut staff or go out of business if they suffered the maximum fine. Even more troublesome is the news that 62% of businesses had not heard of the regulation at all.

EUAs we move in to December, Herbert Smith Freehills' head of data protection and privacy Miriam Everett is more optimistic of firm’s preparedness, but anticipates that progress still needs to be made. "I think companies are well along the track but there is still work to do," she said.

This progress could be put down to the huge increase in expenditure in an attempt to become compliant. A PwC report released only last month revealed that 40% of firms that have finished preparations for the GDPR have spent more than $10 million.

While the new regulation opens up the possibility of significantly higher fines and the addition of a new legal requirement to report breaches, there is scepticism about the extent of the changes it makes from the previous regime.

"There is a lot of scaremongering from people, but I don’t subscribe to this", she said. "GDPR is creating a lot of challenges but it’s not wildly different from the current law, it just takes everything and tightens it a bit."

But what does concern her is the regulation could be left open to interpretation, leaving business owners to work out for themselves how to be compliant. This has led to a big recruiting drive from firms across the UK with reports that some UK small and medium businesses have employed new staff members specifically to prepare for GDPR.


  • GDPR will force companies to change the way they deal with data breaches and means companies must have clear systems in place;
  • The changes are costly. In a recent survey 40% of firms considered to be fully compliant have spent more than $10 million;
  • The new regulation aims to harmonise data protection regulation across Europe.

Everett insists that the most challenging aspect of the GDPR is that it demands a cultural shift from organisations. "The law wants privacy to be at the heart of everything. That may not be technically challenging but culturally, a change is needed," she commented.

In recent months data privacy has been particularly under the spotlight. Uber’s data breach that resulted in the theft of 57 million people’s information, and the resulting decision to pay a $100,000 ransom rather than disclose the incident publicly, has highlighted the importance of strong data regulation. The well-publicised Equifax data breach, that saw an estimated 143 million US customers affected, also brought the issue right to the forefront of public attention. The right to be forgotten, allowing individuals the right to have their data deleted, is included under article 17 of the GDPR and may help alleviate these issues.

But former deputy data commissioner and Allen & Overy special adviser David Smith says the right to be forgotten is sort of a misnomer that does not truly exist in the new regulation.

"If the organisation has good reasons for keeping your data and can justify it, they can continue to do so," he said. Exceptions apply to the rule providing the data processing is necessary for exercising the right of freedom of expression, compliance with a legal obligation, public interest reasons, archiving purposes in the public interest, scientific or historical research purposes, or for legal claims; a rather sizable and wide-ranging list. Smith says the right to be forgotten is targeted more at social media companies rather than financial services firms.

While Smith believes the changes build on the existing regime rather than revolutionising it, he envisages that companies a few steps behind the current regulation will have a lot of work to do to catch up.

"It is a wake-up call for firms for what they should be doing," he said. "If you’re a step behind the field then it may take a while to step back up. It is important to look at where the risks lie."

Smith does not expect the regulator to demand perfect compliance immediately however, but will expect a programme in place that could deliver compliance. The same spirit seems to apply with the new Markets in Financial Instruments Directive (Mifid II) – the Financial Conduct Authority has said it will be lenient with firms which don’t necessarily fully comply by January 3, but have taken obvious steps to do so.

Regulators have, as yet, not given too many clues about their intentions. Information commissioner Elizabeth Denham said in a blog post in August that despite the ability to impose fines above the current £500,000 ($670,000) limit, "it’s scaremongering to suggest that we’ll be making early examples of organisations for minor infringements or that the maximum fine will become the norm". The Information Commissioner’s Office has published a 12-step guide to complying with the GDPR that highlights the importance of documenting the data businesses hold, checking procedures for data deletion and having an action plan in place in the event of data breaches.

"It is a wake-up call for firms for what they should be doing"

The big change to come from the GDPR will be introducing accountability and not just complying with data protection but showing that you do so. The addition of a data protection officer and having data retention policies and impact procedures in place are expected to be big signals to the regulator that businesses are taking the regulations on board; but these could be very costly changes.

"It depends where you were in the first place but inevitably there will be costs involved," Smith said. "The bigger the business is and the more data is central to the business, the higher the cost is likely to be."

But it’s not all bad news for businesses. "Businesses with some justification asked how could they follow the rules of all 27 nations, but GDPR harmonises the rules across the entire continent," Smith said. "It gives a bit more freedom for companies to reach the desired results".

The GDPR will understandably elicit frustration from the business community, demanding sizable expenditure and time-consuming policy changes to comply at a time when Mifid II and Brexit are also occupying business minds. But if firms can review data protection requirements, appoint a data protection officer and have impact procedures in place, businesses can make healthy progress ahead of the May 2018 deadline.

See also

PRIMER: General Data Protection Regulation

Cyber Security and Risk

The shock of the new