Businesses need to prepare now or pay later under the EU’s new stringent data protection rules.

It’s official: the EU’s General Data Protection Regulation (GDPR) will take effect in the UK, despite Brexit. In October, the Secretary of State, Karen Bradley, confirmed the government would be implementing the Regulation.

This has always seemed likely. Both implementation of the new rules under GDPR and the UK’s negotiations for its exit from the EU are stuck with a two-year deadline. The countdown for Brexit only begins when the UK triggers Article 50, though, which it’s not expected to do until next March (and maybe later). The timer for implementation of GDPR began with the publication of the final draft of the Regulation in May.

When the GDPR comes into force in May 2018, the UK will still be a member of the EU.

No more excuses

Information Commissioner, Elizabeth Denham, who previously said it was “extremely likely” GDPR would apply, has welcomed the confirmation.

“I see this as good news for the UK,” she wrote in a blog post. “One of the key drivers for data protection change is the importance and continuing evolution of the digital economy in the UK and around the world… The digital economy is primarily built upon the collection and exchange of data, including large amounts of personal data – much of it sensitive. Growth in the digital economy requires public confidence in the protection of this information.”

Following the referendum result, the ICO published its overview of the GDPR. As it pointed out, the rules would, in any case, apply to all those dealing with the data of EU citizens, regardless of where their business is located.

Unsurprising it may be, but confirmation from the government that the GDPR deadline stands is still helpful. It should finally do away with any lingering doubt that businesses need to act on this – and not before time.

Business still having 18 months to go, but they need to start addressing the requirements and risks the GDPR introduces now.

The latent threat of GDPR penalties

First, that’s because there is a lot of work for businesses to do. Many don’t have any simple way of meeting some of the new requirements, such as the right to be forgotten, for example.

Second, it’s because the GDPR fundamentally alters the balance when assessing the costs and benefits around implementing cyber security technology, systems and procedures. The new rules massively ramp up the potential fines for breaches – up to four per cent of a company’s global revenues or €20 million, whichever is higher, against the current ICO maximum of £500,000. If the GDPR applied today, Tesco’s would be looking at a fine of up to £1.9 billion.

That’s important to have front of mind, because the GDPR will apply to any breaches discovered after May, regardless of when they actually occurred. Many attacks have long latency periods, so the first fines under the GDPR could well be for breaches that are happening right now.

Finally, businesses need to start preparing now because everyone’s in the same boat. On the one hand, that gives a degree of comfort. On the other hand, it means demand for support and expertise for projects to prepare for GDPR is going to be high; recent projections estimate that 75,000 data protection officers (DPOs) will need to be found in the next two years, for example.

Those that leave it to the last minute to source the people and help they need could find they are otherwise engaged.