Since the Data Protection Act (DPA) was launched in 1998, the world has changed. According to the latest figures from Ofcom, the average adult now spends double the time we spent surfing the web ten years ago. Which is not surprising - we shop, bank, work and even date online; and whilst that’s great for convenience it throws up some huge issues around data security.
So, how do we keep our businesses and their customers safe when there’s so much personal information floating around in cyberspace? It’s not always easy, that’s for sure.
The General Data Protection Regulation (GDPR) is here to help make things simpler for businesses and organisations to manage their day to day data protection responsibilities.
GDPR comes into force in May 2018. Like a lot of small and medium businesses in the UK you would be wrong in thinking you’ve got plenty of time to think about it and it’ll be OK to leave for a while. This is one of the biggest and most important acts to affect European businesses for a long time, and it’s pretty complex. It’s essential for the future of your business that you start taking care of it now and do everything you can to ensure you’re ready.
The whole idea of personal data is changing.
Up until now, this has been thought of in terms of things like addresses and dates of birth. The GDPR takes this idea much further, and even something like an IP address can now be classed as personal data and has to be managed accordingly. The directive will apply to automated personal information, manual filing and paper records - and if it’s already subject to the Data Protection Act, now the same will apply with GDPR. There will be special categories of personal data. These are pretty much the same as those listed in the DPA but there are some amendments, as outlined Articles 9 and 10 of The Act. I won’t bore you with the legal governmental words but you can read it on line here.
All companies and charitable organisations in the UK will need to show that they are compliant only using personal data if absolutely necessary to their business objectives. That means no asking for information that you don’t really need just to fill some space on a form or because you have a vague idea that it might come in handy one day. If you ask for it, you’ll have to be able to justify why you’re doing so. This is going to mean updating policies, conducting regular audits and implementing data protection strategies. As you might expect, this will be a long and unwieldy process that requires patience, attention to detail and a lot of background knowledge.
Of course this was all outlined in the Data Protection Act and as business owners we were all compliant with that but it is worth having a refresher. There are two categories of people who have responsibility for handling data – controllers and processors.
Controllers have the overall say on what and how personal data is used within an organisation, and processors act on their behalf.
Processors will be legally required to follow specific guidelines and will be liable for any breaches, and controllers will be expected to ensure that everyone in their team is up to date with compliance.
Therefore the business owner will be the “controller”. If your staff haven’t done what’s expected of them - even if you’ve asked them to - and it causes any confidentiality breach at all then it will still be your fault for not checking.
This is a directive created for all European organisations AND to those working outside of the EU but offering services within it. It’s happening, and all UK businesses will be subject to it regardless of Brexit or any other localised political changes.
If you don’t take the GDPR seriously, you WILL be liable. Personal data is serious business and if you put any of your customers or other stakeholders at risk then you’ll be liable for a hefty fine which could not only mean embarrassment and expense, but the total loss of your business.
Non-compliance will not just mean a slap on the wrist, either. With potential fines of up to €20 million or 4% of annual turnover (whichever is greater).
Managing consent doesn’t just mean asking permission to send your customers direct marketing communications, it’s about ensuring they’re happy for you to hold their personal data in the first place.
Whichever way you look at it, this is going to involve some hard work.
You’ll need to communicate with all customers and have a clear, easy to follow audit trail detailing any changes to data and written consent. Remember, all individuals have the right to access any data that is held about them and they also have the right to object. If anyone does exercise this right it must be clearly documented and respected. You will be legally required to uphold your clients’ rights at all times.