With changes to the General Data Protection Regulation (GDPR) coming into force in May 2018, the clock is ticking for many businesses across the UK.

Failure to comply could result in a massive financial penalty, but – with the right preparation – it doesn’t have to be a calamitous shift. If your organisation is ready for the changes, you can give your business a head start – allowing you to hit the ground running in May. This post explores what’s changing, how it will affect businesses and how to make sure you’re ready.

Britain voted to leave the EU, but that doesn’t mean we’re free from EU regulations just yet. When the GDPR changes come into force, UK businesses will need to adhere to them. Even if we were out of the EU, in fact, businesses dealing with EU citizens would still have to comply.

It will affect two broad groups – namely, controllers and processors. But, even if you outsource your data processing, you will have to ensure your processers are compliant. And, yes, the fines are seriously big for non-compliance. Businesses can be hit with a penalty of up to €20,000,000 or 4 percent of their total turnover for the last financial year – whichever is biggest.

So, what’s actually changing? From May 2018, GDPR will replace the pre-existing Data Protection Act (DPA), which has been in place since 1998. Both aim to protect people’s data by controlling how it is used, processed and stored. However, GDPR goes a step further in terms of accountability.

As explained by Stephen Foster in CIPD, it requires you to “demonstrate compliance by design”. You need to show how you are complying, with the right systems in place. This includes everything from training – and proof of it – to well documented decisions for data processing and contractual proof of any processors’ compliance.

Basically, it means you’re liable for any sort of data breach – wherever in your supply chain it occurs. And on top of the financial penalty, this can have a serious impact on your business’s reputation. CIPS have even suggested that it could be a greater power shift to consumers than the advent of online reviews. But, as with these reviews, there’s no use trying to act against the disruption. Businesses need to adapt and work with the “new world of marketing, data and consumer control”.

So, what’s actually changing? From May 2018, GDPR will replace the pre-existing Data Protection Act (DPA), which has been in place since 1998. Both aim to protect people’s data by controlling how it is used, processed and stored. However, GDPR goes a step further in terms of accountability.

As explained by Stephen Foster in CIPD, it requires you to “demonstrate compliance by design”. You need to show how you are complying, with the right systems in place. This includes everything from training – and proof of it – to well documented decisions for data processing and contractual proof of any processors’ compliance.

Basically, it means you’re liable for any sort of data breach – wherever in your supply chain it occurs. And on top of the financial penalty, this can have a serious impact on your business’s reputation. CIPS have even suggested that it could be a greater power shift to consumers than the advent of online reviews. But, as with these reviews, there’s no use trying to act against the disruption. Businesses need to adapt and work with the “new world of marketing, data and consumer control”.

When it comes to preparing for GDPR, there’s no use putting it off. Especially in highly regulated areas, like financial services, it’s imperative to prioritise the new regulations. Procurement and contract managers need to be fully up to speed with the changes, but should also consider rolling out information packs to educate all staff on the new legislation.

It’s then up to the procurement team to go through all contracts to identify problem areas and ensure they are all remediated accordingly. This is when you’ll realise the importance of early preparation, as these contract revisions – potentially in high volumes – will need to be agreed with stakeholders and suppliers. Most likely, the negotiations will be long drawn out, but will need to be completed before the legislation is in place.

At Bis Henderson, we have witnessed an increased interest in finding data protection specialists, to deal with GDPR. But what should you look for in candidates? Experience is paramount. But unlike other recruitment, there is a difficulty in finding someone who has amended contracts specifically relating to GDPR.

Businesses can, however, recruit candidates who have dealt with a significant number of contracts, ideally in highly regulated sectors. Look for people with a strong understanding of existing regulations relating to data handling and protection – and how these are incorporated within contracts.

If you’re looking to find a GDPR specialist to work within your Procurement team, Bis Henderson Recruitment can help. We have decades of combined experience in procurement, supply chain and logistics recruitment, with an unrivalled client and candidate network.  Get in touch today to discuss your recruitment needs.