Studying this technical article and answering the related questions can count towards your verifiable CPD if you are following the unit route to CPD and the content is relevant to your learning and development needs. One hour of learning equates to one unit of CPD. We'd suggest that you use this as a guide when allocating yourself CPD units.

This article was first published in the January 2018 UK edition of Accounting and Business magazine.

There can be no doubt about it, GDPR compliance is onerous, but it is fundamentally about ensuring that organisations are fit for purpose in the digital age

The introduction of the General Data Protection Regulation (GDPR), which comes into force in May this year, represents the most sweeping overhaul of data protection regulations in the UK in two decades.

For privacy campaigners, GDPR, with its focus on transparency, security and accountability, is a long overdue recognition of the responsibilities businesses have in utilising their customers’ personal data.

Companies of all sizes and types will need to comply with the wide-ranging obligations imposed by GDPR, although the actual workload will vary according to the nature and complexity of the individual organisation.

The bad news for those operating in financial services is that they can expect the burden to be more onerous than most. The good news, relatively speaking, is that GDPR builds to a large extent on current legislation – namely, the Data Protection Act 1998 – albeit with many significant enhancements and some entirely new measures.

So while it won’t be business as usual from 25 May onwards, companies with robust data protection policies already in place certainly find themselves in a much better starting position.

At its heart, GDPR can be seen as raising the data protection bar in the social media age. The way this is put into practice is varied and sometimes complex, and includes requirements for:

  • consent for data use, particularly with regard to under-18s
  • greater transparency and accuracy in privacy notices
  • updated security rules and more stringent reporting obligations for data breaches
  • an upgraded regime for enforcement, remedies and liability
  • the introduction of the principle of privacy by design and default.

Given the scope of these changes, and their imminent arrival, the relatively low-key response from many businesses is a concern. In October last year, a survey by law firm Collyer Bristow found that 55% of UK small businesses were still unfamiliar with GDPR. Equally alarming was that 30% of executives in larger companies were not yet familiar with the regulations.

An international study by PwC published in November and focused on larger companies and multinationals confirmed that meeting the requirements of GDPR won’t come without a cost. Among companies that had completed GDPR preparations, 88% had spent more than US$1m, with 40% spending more than US$10m.

For those that have not made serious headway in their preparations, PwC partner Rav Hayer did not mince his words: ‘These organisations risk regulator fines, litigation costs and lost contract opportunities.’ He also identified particular areas of challenge for financial services providers: data discovery, subject access requests, data retention, data breaches and processing by third parties.

The cost of inaction

Whatever the financial challenge of implementing GDPR, the cost of doing nothing could be far more severe. Data protection authorities will hold a range of new powers to tackle non-compliance, and may fine organisations up to £18m (or 4% of total annual global turnover – whichever is greater) for the most serious breaches. Audits and investigations are not even the biggest concern for companies. Individuals will also have the right to take legal action where they feel their data privacy has been infringed.

‘Customer data allows companies to personalise and tailor the customer experience,’ says Nick Taylor, managing director for the UK and Ireland within Accenture Strategy. ‘Continued access to that data is no longer a given and only companies that show proper stewardship will retain access to it.’

Taylor stresses the importance of seeing GDPR not as a compliance issue but in terms of managing risk and reputation. ‘Companies that fail to comply with the regulation, or fail to report instances of data breaches within 72 hours, face the prospect of being banned from processing personal data,’ he points out. ‘The implications for loss of consumer trust can be severe.’

While such prospects can make GDPR look like a burden, ‘companies that treat it as an opportunity have much to gain by showing consumers their data is respected, protected and used wisely in order to provide a more tailored experience’, he stresses.

Accenture Strategy recommends a risk-based approach to engaging with GDPR. ‘This means that you look at where you store and process personal data – customer, employee or citizen journeys/processes are a good start,’ Taylor says. ‘Also, look at the risks associated with third-party interaction, programmes of work, systems/applications, etc, which will enable you to focus on the most risky areas first.’

As an opportune upgrade of data protection legislation, it would be hard to argue against the value of GDPR. However, given that it has implications for virtually every branch and division of an organisation, the new regime represents, for some at least, a potential reset in terms of how data is valued and managed.

To view this as a burden is to miss the obvious point that clients and customers have legitimate concerns and expectations around how their information is managed. As an opportunity to revise and re-energise the approach to digital privacy, GDPR is fundamentally about ensuring organisations are fit for data protection purpose in the digital age.

Donal Nugent, journalist