Expert Ishbel warns companies face ‘ticking time bomb’ over new data rules
Companies across Shropshire face a ticking time bomb because of major new rules governing how they store personal information, an industry expert warned today.
Ishbel Lapper says the new General Data Protection Regulation, which comes into force in May, is the biggest shake-up in the law over data storage for two decades.
And she warns that companies will have to make sure they follow the law from day one – or face hefty fines of up to 20 million Euros.
Ishbel, who runs Telford-based HR Solutions Shropshire which has clients across Shropshire and the Black Country, says the new law will inevitably lead to increased costs for local firms.
She warned: “The GDPR comes into effect on May 25 and covers all aspects of the way organisations store data about their staff and customers.
“It is being introduced with a so-called hard landing – meaning companies will have to comply from day one or risk prosecution and the prospect of some really stiff penalties.
“It’s vital that employers and HR professionals take steps now - if they haven’t already - to ensure they are prepared for the new provision.”
The law – part of moves to harmonise data storage across the EU – applies to any company providing services in any member state, or monitoring any web browsing behaviour within the union.
Breaches may be subject to fines of up to €20M, or 4% of global annual turnover, whichever is the greater.
“Because there is no period of grace this is a real ticking time bomb for companies in the region. If they are not fully up to speed from May 25 they could face very serious consequences,” Ishbel warned.
“And I’ve no doubt that racing to meet the demands of the new law will add to admin costs for many businesses in the area.”
Under the new law, employers will need to review how they collect, hold and process personal data, as well as how they communicate with any individuals about that activity.
Organisations must provide more information on what data they hold and how they use it and be able to demonstrate their compliance to regulators – in the UK’s case the Information Commissioner's Office.