Businesses still have time to comply with the new data protection regulations, but the opportunity to benefit from the change is rapidly diminishing

There’s little more than six months to go: The General Data Protection Act comes into force in the UK on May 25, 2018. And the signs are there’s still a lot to do to prepare. Even large businesses remain unclear about the new rules, according to a recent survey.

That could prove costly. Much has been said of the new penalties possible under the new regime: Up to 4% of global turnover or €20 million, whichever is greater, compared to a current maximum the ICO can fine of £500,000. It’s not just regulatory penalties that firms need to worry about, though.

They also need to consider legal action from individuals. Class actions over data breaches are not unusual in the US; in June US health insurer Anthem, agreed a record $115 million settlement over data breaches. Such actions are rare in the UK, but there are examples. GDPR could now open the floodgates. In Ireland, consultancy PwC has said it expects litigation to follow on quickly next May, with specialist legal firms already being set up to encourage claims.

“[We] could see another Personal Protection Insurance debacle emerging,” says the firm’s cyber leader.

The IT skills gap

If firms are to avoid problems, they’ve got a lot to do. Putting in place mechanisms and processes to comply with requirements such as mandatory notification of breaches and “the right to be forgotten” will be a challenge for some organisations.

Neither is it helped by the fact many organisations face a shortage of skills. Businesses worldwide are looking to recruit at least 28,000 data protection officers as a result of GDPR and, more widely, the International Information System Security Certification Consortium has predicted a shortfall of 350,000 cyber workers across Europe by 2022.

With just months to go, there’s a lot of work to ensure compliance and surprisingly few workers to see it done.

Making GDPR work for your business

But there’s an opportunity from GDPR as well, and this will almost certainly be missed if businesses are left rushing just to just meet the minimum requirements.

First, preparing for GDPR more or less necessitates a review of data security. That in itself provides an excellent opportunity to review the processes, procedures and technology in place. This will not only mitigate the risk of penalties for inadequacies the regulator picks up, but actually reduce the actual likelihood of a data breach – a potentially costly and damaging event for a business’s reputation even if the regulator deems it wasn’t at fault.

More widely, GDPR requires organisations to take stock of their data: not just how it’s protection, but how it’s collected, where it’s stored and how it’s handled. Without this, they cannot hope to ensure it is treated in accordance with individuals’ wishes. This gives businesses the opportunity to really clean up their act: removing duplicates, deleting unnecessary data, connecting related information and breaking down the silos of data within the organisation.

If businesses do that, they could find that as well as easing the effort of compliance, they also unlock the value hidden in their data. Like everything else, though, it requires work and will take time.

And if businesses want to benefit, they need to remember that the clock is ticking.