With a year to GDPR coming into force, what do businesses need to do?

23 May 2017

With 25th May 2017 marking a year until General Data Protection Regulation (GDPR) comes into force, Charles le Strange Meakin, senior partner for KPMG in Cambridge and technology specialist highlights that tech businesses, particularly the early stage businesses, need to make sure they don’t fall foul of the new legal framework.

Add This Share Buttons

Charles comments: “On 25 May 2018, GDPR will affect any organisation or business that has any dealings with consumers and businesses in EU member states. It will fundamentally alter the scale, scope and complexity of the way personal information is processed. There is no threshold size which the regulation will be relevant for, and startup and scaleup businesses will be required to comply in the same way as large corporations.

“The regulation is going to require most organisations to make significant enhancements to their privacy control environment and rethink the way they collect, store, use and disclose personal information. These changes are going to be complex and take time, as such, most startups cannot afford to wait if they want to remain relevant.

“It’s worrying that with only a year to go, many organisations, including some startups with decent scale and customer traction, still have a lot to do and absolutely cannot afford to have this regulation on their radar. The truth is that there is still so much confusion around what they have to do and how to deal with it. The unknowns around Brexit have also posed some uncertainty on what GDPR will mean to the UK post-Brexit.

“When it comes to Brexit, it is critical to understand that if the UK is going to continue to trade with the EU, the free flow of personal information must be maintained. As such, we have to have an adequate privacy ecosystem in operation in the UK which is aligned to the requirements of the GDPR. What remains to be seen is whether the GDPR is subsequently repealed and replaced with something else post-Brexit.

“So that enterprises don’t have issues and face subsequent enforcement, including fines of up to €20m or 4% of global turnover, businesses should:

1.       Understand the risk for the business – with such high fine potentials, GDPR will start cropping up on due diligence checklists carried out by investors.

2.       Understand current state and set desired state – conduct a gap analysis against the GDPR to understand where your organisation is exposed to risk and determine what the risk appetite is.

3.       Plan and implement – create a detailed plan to enable the desired risk appetite to be reached and undertake a privacy improvement programme to deliver against this plan.”

*******

For media enquiries, please contact:

KPMG Press Office: +44 (0)207 694 8773

___________________________________________________________________



Looking for something specific?