In 1998, the Data Protection Act became law in the UK. It replaced the Data Protection Act 1984, and the Access to Personal Files Act 1987. The purpose of this legislation was to regulate the storage, use and management of individuals’ personal information. This was all well and good – in 1998.
Clearly, quite a lot has changed since then.
In 1998, the prospect of storing emails past a certain quota was exciting, but impossible. In 1998, we searched on Yahoo because Google didn’t exist – and each search felt like a time-consuming treasure hunt. However, in our brave new world, Information Technology and Digital Data exist at every level of a business.
Since then, we’ve amended aspects of the act and added subsequent legislation to cover electronic communication. However, due to the fast pace at which our technology is evolving, a complete overhaul of this framework was long overdue.
So, in 2012, the European Commission published a draft regulation, proposing significant changes to legislation. This sparked a four-year debate, negotiation and lobbying never seen before by the EU. (If you didn’t think arguments could take 4 years to resolve, you probably haven’t been married.)
Finally, the new EU data protection framework has been adopted, taking the form of a regulation: the General Data Protection Regulation. This will replace the current Directive and take effect from May 2018. However, due to the risks involved with non-compliance, we think businesses should start preparing today. As in, right now. (After you’ve read the blog, that is.)
Why is data protection important?
Lets start from the beginning.
Data is the currency of all successful businesses. It’s how we grow: we collect valuable customer data, and we use it to understand and expand our audience. We have systems in place to help us do this: perhaps it’s a CRM system, or a collection of spread sheets. Perhaps it’s a bunch of files and folders in a cabinet (if it is, seek help).
Imagine all of this valuable customer data was hand-written into a personal address book. Then imagine that you left that address book in the phone box after making a call. Upon returning later, you found the address book was gone. Well, luckily the police have a pretty easy phone number to remember. But what about all your customer data? Who now owns your phonebook? What if they’re calling your customers? What will your customers think?
What if they’re doing prank calls with funny accents? Even worse, what if they’re passing that data on to others for money?
What started out as an innocent exchange of details has now become MI5’s version of pass the parcel. The data is now out of your control, being passed and unwrapped again and again until your customer loses trust in your business.
Sure, this may be a classic 90s problem which the digital revolution did away with: no address books, no phone boxes. However, when we went digital, we got lazy. Without the need for physical files, we started treating customer data like missing socks: they’re always somewhere in the house, but until we need them, it’s not important. However, while a pair of odd socks gets you funny looks and maybe a few jibes from your colleagues, missing data can now lead to a hefty fine according to the new General Data Protection Regulation.
So, what is the EU GDPR?
The EU GDPR is the world’s most important regulation involving people’s personal information. It’s the biggest shake up of Data Protection legislation in over 20 years, and from the 25th May 2018, it will govern how you process, manage and secure any EU citizens’ data.
Okay, let’s address the elephant in the room: you guessed it – Brexit.
Surely if the UK has left the EU, this new EU regulation will not apply to us?
In fact, this regulation requires all organisations and companies dealing with data of EU citizens to comply, regardless of where in the world you are located.
The GDPR isn’t just a change to legislation – it’s a cultural shift.
Where previously companies owned the data they collected, GDPR ensures that any data that can personally identify an individual will always belong to that individual. Companies become the custodians, and therefore, are responsible for ensuring all records of customer data of all formats are unified, protected and safe from a potential breach.
Under the GDPR, organisations must notify the relevant authorities (as well as the individuals affected) within 72 hours of a security breach. This short window of time may seem threatening, but in a sense, encourages businesses to put in place an airtight response plan to protect their customer’s data.
What are the risks?
The purpose of the GDPR is to protect the personal information of EU citizens. However, in order to enforce a higher level of cyber security across businesses, the EU GDPR introduces a strict compliance regime with fines of up to 4% of worldwide turnover for breach of the regulation.
This serious financial penalty makes data protection a board level concern; and companies who fail to adequately protect their customers’ information will face a fine based on the gravity of the incident and the duration of the infringement.
If the fines aren’t enough, data protection authorities (DPAs) will happily ‘name and shame’ those who have fallen below the standards expected of them, causing great damage to the reputation of your business.
What do you need to do?
The first step is to understand the value of the information you’ve got. Customer data is an asset, which allows you to gain real insights into your target market, but it’s also extremely sensitive information. In order to avoid the consequences of non-compliance, you should follow these 5 key steps:
1. Spring Clean your Data
Even if you feel prepared for the GDPR, it’s a good idea to perform a thorough audit on all the data you own: not only for your customers, but your employees too. This spring clean is a great opportunity to get rid of all the unnecessary “data noise” you’re storing; a chance to start a-fresh, safe in the knowledge that the only data you have is data you need, and the data you need is protected from a potential breach.
If you’re a bit of a hoarder, take this opportunity to ask yourself: why was this data captured? What is its purpose? Who in the business is using this data? If no one can provide answers for any of the above, there’s no need to hold on to it. If it’s useful data, make sure you know where it’s being stored, taking into account any cloud storage platforms and any trace of it across staff members’ personal computers.
2. Assign Responsibility
Under the GDPR, all companies who process personal data in certain specified circumstances must appoint a Data Protection Officer (DPO). his officer will be responsible and accountable for your businesses’ data: ensuring it’s being stored correctly in accordance with the GDPR, ensuring all staff are trained on how to manage personal data and undertaking impact assessments of potential breaches of data. While this requirement only applies to certain organisations, assigning responsibility to a DPO can be beneficial in ensuring one individual is constantly monitoring your organisations compliance with the regulation.
3. Assume you’ll be breached
This may seem a little paranoid, but it’s something you need to be prepared for. As the new law makes it compulsory for breaches to be reported within a 72-hour timeframe, it’s essential to have a clear set of well-practiced procedures in place in the event of a security breach. I know many of you will be thinking “it’ll never happen to me,” but if it does, I can promise you that my voice will haunt you daily with those 4 powerful words that we all hate: “I told you so.” If that’s not an incentive to get a solid system in place, I don’t know what is.
4. Consider consent
Under the GDPR, each and every data processing activity requires a lawful basis. So, while consent provides a 'lawful basis', your consent mechanism must be of a voluntary or "opt-in" nature rather than a pre-ticked box, and the data subject must be permitted to withdraw their consent easily, when they so choose. This new regulation prompts organisations to review how they are seeking, obtaining and recording consent and whether any changes need to be made to the data-capturing process.
5. Change your culture
Even if you have appointed a Data Protection Officer to manage your data, a breach will not only reflect badly on that individual, but the organisation as a whole. As a result, the GDPR encourages organisations to create a culture where data privacy is considered in every process, at every level of the business. As you move forward, ensuring that privacy is at the heart of any new process will not only demonstrate compliance, but also help to create a competitive advantage.
How can 360 Business Law help you?
At 360 Business Law, we believe that good security is good business.
While this blog provides a guide to the necessary steps involved in protecting your data, we understand that this won’t happen overnight. That’s why our business lawyers are available around the clock to help you implement a data protection strategy that reduces your overall risk profile in the face of the coming change.
When you subscribe to our service, our globally recognised lawyers will come to your business to undertake a legal audit, identifying the risks you are facing early enough for you to take action and make a difference. Due to our vast experience and business acumen, we are able to help companies thrive by providing high quality advice and tailored solutions – all at a fraction of the cost of a traditional law firm.
For specialist legal advice on how to prepare for the EU GDPR, get in touch with one of our business lawyers today on 01276 804432 to make an appointment.