This page contains a Flash digital edition of a book.
68 roundtable ... continued from previous page


stung as badly as the headlines are making out right now,” added Kolah.


The GDPR needs to be high on boardroom agendas, he stated. Businesses will face a new compliance journey, a new transparency framework, and new enforcement measures.


Any breach or infringement of GDPR could result in a fine of up to €20 million or 4% of global turnover based on the preceding 12 months.


Neil Clarke


a big challenge for a lot of UK organisations over the next 24 months,” said Kolah.


... and in two years?


The consensus view of our Roundtablers was that only 10% of UK businesses might be fully GDPR compliant by 2018. Was that a problem? Surely the EU regulators would provide some deadline leeway if companies were struggling to implement the right data protection measures?


Probably not, said Kolah and Hickley. The EU Court of Justice was already taking the principles of the GDPR into account when determining case rulings.


Clearswift legal director Debbie Evans suggested this time the GDPR might be “a bear with teeth rather than a gummy bear”.


And regardless of our June 23 Brexit or Bremain referendum vote, the GDPR will still be relevant for any company doing business in Europe, said Kolah.


Elizabeth Denham, “famous for taking on Facebook and winning”, will move into her post as the new UK Information Commissioner this June. “An army of people are currently being recruited into the ICO (Information Commissioner’s Office) because it has new powers under the GDPR. Things are moving. We are in a state of transition,” said Kolah.


Prepare for transition now ... or face the fines


“The key thing to keep asking of your business is: ‘Are we ready?’, and not to think you’ve got two years. The clock has started to tick from this month. The old regime is dead. You need to be getting things ready now,” warned Kolah.


“We’ll be going through a very steep change curve, but there’s an awful lot of effort going on in the data protection community through bodies such as the International Association of Privacy Professionals, and here at Henley Business School, to ensure that when full GDPR arrives people won’t get


businessmag.co.uk Ian Morrin


Will reputational loss be the biggest penalty?


The new regulation provided something of a ‘snakes and ladders’ offering, said Kolah. “The GDPR is full of tripwires but also opportunities for those who comply, not least in improving confidence in your data handling with customers and supply-chain partners.”


The way businesses needed to approach the new GDPR regime was as an exercise in business continuity – continuing to trade while taking action to implement compliance.


“The one thing you don’t want to be is breaking news,” observed Kolah. It might lead to GDPR fines, but losses from data protection non-compliance might be greater in terms of reputation than any money involved.


Kolah noted that while the law reforms were an evolutionary change on the data protection landscape, the move to greater transparency was something of a revolution.


Lawyer Debbie Brett agreed: “It’s worth remembering that the premise behind this GDPR is entirely sensible. It’s really a case of the legislation finally catching up with what advances in technology have allowed us to do with data today.


“The key area of progress for me is transparency – as an individual understanding what control I have over my personal data and how I might put it at risk; and for businesses in understanding issues around privacy where the lines have become a little blurred over the years.”


“Customer and client data has always been valuable; it’s just got more valuable.” Building trust and confidence within relationships by being demonstrably GDPR compliant will also ease the gaining of active consents for data use, he added.


Make sure you’ve got a DPO ...


“In future, almost every business will need a DPO – a Data Protection Officer – as defined by the GDPR,” noted Kolah. “The DPO will need to be a senior manager, someone independent but reporting into the board; a person who can’t take instructions, can’t have a conflict of interest, and who reports directly to the supervisory authority – a mini-regulator sitting inside your business.


“Anyone processing data on an industrial scale within their business, whether personal, financial, biometric etc, you’ll have to have a DPO.”


... but there is help, and you may have some derogations


Evans of Clearswift was first to raise an obvious concern. “The principles of GDPR are brilliant but for some smaller companies getting up to speed for compliance, getting everything in place, is going to be a major challenge, as it has been already with the existing data protection legislation. The big companies have the risk managers, the data and business continuity teams; they can afford to throw in resources to make them compliant, but smaller companies may ‘wing it’ a bit more. Will all this make a beneficial difference for the SMEs? How do we get them to change?”


Hickley: “You are absolutely right. It is a challenging environment but there are derogations – exceptions to the GDPR – for smaller businesses, who won’t need a DPO for example. The GDPR also encourages the production of codes of conduct so we are anticipating certain sectors, such as the insurance industry, writing a code for its members that will be ratified by the supervisory authority.”


Evans again queried how the GDPR authority would get smaller companies to “sit up and listen”, and she suggested take- up of the GDPR would not be as great as some people expected.


Neil Clarke felt the free market and supply chain pressures would prevail. He noted the growing uptake of certification to the Cyber Essentials Scheme, a new Government-backed and industry supported scheme to guide businesses in protecting themselves against basic cyber threats. “If, for example, the MOD has a new requirement today, then suppliers


THE BUSINESS MAGAZINE – THAMES VALLEY – JUNE 2016


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48  |  Page 49  |  Page 50  |  Page 51  |  Page 52  |  Page 53  |  Page 54  |  Page 55  |  Page 56  |  Page 57  |  Page 58  |  Page 59  |  Page 60  |  Page 61  |  Page 62  |  Page 63  |  Page 64  |  Page 65  |  Page 66  |  Page 67  |  Page 68  |  Page 69  |  Page 70  |  Page 71  |  Page 72  |  Page 73  |  Page 74  |  Page 75  |  Page 76