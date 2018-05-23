Helen Farr, Phil Beckett

Have companies underestimated the impact of GDPR, which comes into force on Friday?

Helen Farr, partner at Fox Williams, says YES.

Although it is two years since the General Data Protection Regulation (GDPR) was announced, many businesses have not appreciated the full scope of this new regulation.

Firms have prioritised ensuring that their systems for processing customer and client data are compliant, but the same attention has not been given to employee personal data.

Each company’s data protection officer or privacy officer is responsible for ensuring the implementation of appropriate policies and procedures in relation to processing employee personal data. This includes updating contracts of employment and ensuring that all staff know how their data is processed and understand their new rights under GDPR.

Business leaders should not need reminding that there will be no grace period for those that do not comply in time. The regulator is prepared to use a range of enforcement penalties, including eye-watering fines and restrictions or bans on processing data. In addition to financial risks, companies would be wise to remember the reputational risk of non-compliance.

Phil Beckett, managing director at Alvarez & Marsal, says NO.

Given the sheer complexity of GDPR, I don’t believe firms have under-estimated the law per se. Most have a good understanding of the basic requirements, and are putting in measures to ensure that they use data in the permitted way.

That does not mean that all firms will be 100 per cent compliant – mainly because no one really knows what “total compliance” means.

There may still be gaps in firms’ understanding and their application of the law, in terms of how to prepare for it (what to do with historic data, the confusion between business-to-business and business-to-consumer data, soft or hard opt-ins), and ongoing, long-term compliance.

While I think most companies will start off the new GDPR era on the right foot, it’s important to remember that it is a living regulation and compliance is ongoing – it needs to be maintained and reassessed as systems evolve; it is not a simple tick-box exercise.

