From a legal standpoint, data protection is one of the most important obligations that any business owner has to undertake.
Data is any information which can be used to identify someone, including (but not limited to) their name, address, telephone number, email address, and so on.
From customer addresses to staff contact information, businesses are a treasure trove of information. While this is good for marketing, sales and internal communication purposes, it is also particularly valuable for cybercriminals, who target businesses to obtain data for fraudulent activity.
In May 2018, data protection laws will change thanks to the introduction of a new directive from the European Union. This new ruling is called the General Data Protection Regulation (GDPR).
Currently, legislation around Data Protection in the UK is limited to the Data Protection Act, which was introduced in 1998 and has outlived its usefulness. Huge changes in the business and technology landscapes mean that new rules and regulations are long overdue; enter the GDPR.
The new directive is aiming to streamline data protection by bringing a standard practice into place for any and all businesses operating in the European Union (remember: the United Kingdom could still be a European Union member up until late March 2019).
What is my role in data protection?
Data protection is already a complex field, but it’s made even more confusing with language which can be difficult to decipher.
The first step is in understanding which term applies to you and which one applies to your role in data collection and protection:
– Data controllers are organisations/individuals who collect personal data and decide how and why it is used
– Data subjects are individuals whose data is collected
– Data users are people who process information
– Data processors process information on behalf of data controllers
In real terms, this means that you and your business are data controllers, your customers (and to an extent, your employees) are data subjects and certain employees will be data users.
Finally, data processors are external companies who use data that you control. The scope is fairly wide; it could be solicitors, accountants, IT services or even postal services if you’re sending products or marketing material to your customers.
What will change with the GDPR?
The right to privacy of EU citizens is at the forefront of the regulatory change.
The GDPR brings into place new requirements for people and businesses collecting data, aiming for more robust practices. There are three stages to data collection:
At each of these stages, the onus is on the person collecting data to ensure that the entire process is compliant.
When collecting data, data controllers have an obligation to use plain language and to communicate clearly why the data is needed, how long it will be stored for and who it is passed to.
Consent must be clearly given, and data subjects need to understand what it is that they’re consenting to.
Data controllers and users will need to use extra safeguards to protect sensitive data.
Sensitive data (race or ethnic identity, political and religious ideology and health information) is private in nature, and privacy is a key consideration of the new directive, so it is subject to extra protection.
Data subjects must also be informed of breaches which present a risk to them.
Additionally, data being transferred outside of the European Union will need legal arrangements in place to guarantee its secure handling.
Businesses must respect the ‘the right to be forgotten’. This is a recent concept which allows people to request that inaccurate, inadequate, irrelevant or excessive information about them be removed.
If a data subject asks that their data be removed, you must comply with the request, unless you have a right to refuse to comply, such as needing the data for a legal obligation.
How to ensure your business stays compliant
Clearly, there is extensive change coming to data protection law, and being prepared for the switchover in May 2018 is essential. That means making a start now.
First of all, establish whether you need to hire a data protection officer. This will depend on the amount of data you collect and what you use it for.
Consent to data processing no longer means a tick-box agreeing to terms and conditions; it will have to be a more transparent process, with easy-to-understand T&Cs and consent forms – this might mean you have to change settings on, for example, any email or newsletter sign-ups you conduct.
You will also keep detailed records of your business processes data regularly, and your record keeping needs to be robust and consistent.
Review your practices – including the reasons for data processing, where data is stored, how long you store it – and assess whether they are still adequate.
Penalties for non-compliant businesses
Depending on the breach, penalties range all the way from an initial warning, to a suspension of data processing, to a fine of up to €20m or 4% of global annual turnover.
- The official EU GDPR website is a one-stop shop where you can see the key changes, the time of the project, and some of the more difficult topics which have been navigated.
- The UK government also has a simple online guide which you can consult.
- Additionally, this report from BT offers essential advice on how to adjust to the upcoming changes to data protection law.
- The European Commission has produced a summary of the directive and created a useful infographic which explains the upcoming changes to data protection regulation.