THE impact of far reaching changes to the law that governs the way in which businesses handle personal information is certainly being felt across the country.

The new General Data Protection Regulation (“GDPR”) will replace the existing UK Data Protection Act 1998 in entirety, and comes into force on 25 May 2018.

Those with an interest in IT, data security and compliance will have already heard a lot about the GDPR. A lot of this interest has been down to increased penalties for breaches of the regime. Fines are going up from £500,000 to 20 million euros or four per cent of a businesses’ annual worldwide turnover. The stakes are higher than ever before, and importantly, these fines are not sector specific. They can be imposed on any business which is handling personal information – whether it be customer data in the latest mobile application, or human resources records.

Since the GDPR was finalised, I have found that there has been a lot of miscommunication around what businesses need to do to comply. In fact, whilst a lot is changing, a lot is not. The fundamentals of good information governance remains the same. For example, there is a lot of coverage around “security” changes needed as a result of the GDPR. The reality is that the general obligation to ensure data is kept secure and implementing appropriate technical safeguards isn’t changing.

What is changing is the culture of compliance required by the GDPR. Businesses are required to be a lot more upfront in how they handle personal information. This is generated as result of an agenda of “accountability” that is the backbone of the GDPR. This means that businesses have to document in much more detail what they do with personal information.

I describe to clients in training that compliance is a bit like your maths exams at school. Before you just had to get the exam question right. Now, you need to show your workings to score points. The law demands that your “workings” are in place to show how you comply. This change in approach cannot be addressed overnight.

If you have not taken steps to look at the GDPR’s requirements, then I would encourage you to start now. There is time. As a first step you need to map out with key stakeholders what data you have, why you have it and who you share it with. This data mapping exercise is key to understanding potential risks. Focus on areas of your business that handle sensitive data first since this is the highest risk area.

You should look at the information you communicate to those affected by the processing of data. You will need to look at your privacy policies and fair processing notices. These need to be much more detailed than before with the GDPR imposing specific requirements with increased requirements to be “transparent” around data handling practices. It will take some time to update these notices in time for May 2018.

Another key area of change that should be reviewed sooner rather than later are engagements with third parties that process personal data on your behalf. The GDPR is far more prescriptive in terms of what contracts need to say around the processing of data in these relationships. Negotiations will be needed to accommodate these requirements and this will take time.

Internal staff policies will also need updated to cater for other prescriptive changes in the GDPR. For example, businesses will need to report to the regulator of the GDPR security breaches involving personal data without undue delay, but no later than 72 hours. Internal policies will need to ensure staff are aware of these security breach requirements to enable efficient reporting of breaches where required.

There is a lot more to the GDPR than these points, but the sooner a business takes time to consider its impact, the easier it will be to implement the changes that are required for your business. In many places, you may find that you are already compliant. Taking a morning out with key stakeholders in the business that handle personal data to consider the issues now, is a first easy step to take to get ready for next year.

Ross McKenzie is a senior associate at Burness Paull.