The Government’s plans to revise the UK’s data protection laws, announced this week, will effectively ensure that the UK remains compliant with the EU’s General Data Protection Regulation (GDPR) which is applicable from May 2018.
This announcement is helpful for businesses and should clarify some of the confusion around the need or otherwise to prepare for the GDPR. According to a Netskope survey conducted in January 2017, more than half of the IT and security professionals surveyed had never heard of the GDPR, and three quarters reported that their employer did not provide any information in relation to it. In addition, a recent study claimed that a quarter of all businesses had cancelled their GDPR preparations because of Brexit, in the assumption that it will no longer apply to the UK once the country has left the European Union.
Under the proposed new legislation, the government will be bringing the GDPR into UK law which will help UK businesses post Brexit.
So what steps should businesses be taking now?
The first step to take is to conduct a data mapping exercise to ensure that businesses have a comprehensive overview of the data which is being collected, processed and held. A completed data map will show what categories of data are held and processed by the various business units, and demonstrate how data flows between business units and/or third parties.
Data controllers must know who the data belongs to, where and how it was collected, where it is stored, what the content is, when it was collected and for how long, and what the purpose of the collection was or is. Data mapping fulfils a crucial role in answering those questions and a good data map will clearly set out the flows of data and locations where data is held.
The forthcoming legislation is likely to require organisations to maintain records or processing activities (see, for instance, Recital 82 and Article 30 of the GDPR). Without data mapping, it will be near impossible for an organisation to meet its statutory (and often contractual) obligations in respect of collection, use, retention, disclosure and disposal of personal data.
It will be crucial to review on what basis personal data is being processed, to ensure that in a manner that is deemed fair, legal and legitimate. There are several grounds on which personal data may be processed, one of which is consent. Those organisations relying on consent for processing personal data should check how they obtain such consent – the so-called ‘opt-out’ consent, or pre-ticked boxes, or anything that assumes consent, will no longer be acceptable. It is therefore important to make sure that consent is validly obtained, freely given, specific, and informed.
A holistic approach
One of the aims of the new UK and EU data protection legislation is to ensure that organisations put data protection and privacy concerns at the heart of their operations – data considerations should become part of the integral business functions, and not an addendum. This explains the introduction of concepts such as “privacy by design” and “privacy by default” and is likely to require dedicated training not just to the IT or compliance departments, but to all staff members. Data breaches may occur through human error and due to a lack of specific training. As such, organisations should spend some time developing data protection training which is rolled out across their entities.
Top-management commitment is likewise crucial in highlighting the importance of data protection. The board of directors or equivalent ought to consider data protection at their board meetings, and actively promote the issues throughout the company. Data protection policies, updated to reflect the heightened requirements of the GDPR, and in time the UK’s data protection laws, should be considered, discussed and signed-off by the board, and circulated throughout the organisation.
The benefits of preparing now
Businesses should not wait for the UK Data Protection Bill to move through Parliament, but proceed as if complying with the GDPR which the draft Bill maps.
Fines for failing to comply will be significant, up to £17 million or 4% of the organisation’s worldwide turnover. For the largest companies, this could therefore mean potential fines going into the billions of euros.
The benefits of compliance go beyond fine avoidance. According to the Department for Digital, Culture, Media and Sport, research shows that “more than 80 per cent of people feel that they do not have complete control over their data online”. Those falling foul of the new data protection laws are therefore likely to suffer reputational damage in the eyes of an increasingly data-conscious public, so falling behind other companies in relation to data protection may mean less business in the future.
Conversely, being able to meet the GDPR’s standards by offering consumers greater control over their data, having processes in place to address erasure requests and being able to meet data portability demands is likely to make an organisation attractive to consumers inside and outside of the EU.
While such an overhaul of data processing practices may seem daunting, businesses that are prepared for the new legislation are not only protected from possible prosecution, they will also have the benefit of a heightened understanding of their business structures and operations – knowing how and where your data flows will give a good overview of every department and may uncover any duplications or inefficiencies. It should also strengthen general safety and security measures in relation to the storing and sharing of data – which should reduce the likelihood or frequency of breeches and any resulting costs. According to an extensive study conducted by IBM and the Ponemon Institute, in the UK alone the average costs for a data breach in 2016 was a staggering £2.53 million.
Protecting personal data goes beyond regulatory compliance, it should be seen as a component of good corporate governance; a function of an ethical business culture that demonstrating an organisation’s commitment to doing the right thing.
At a debate organised by GoodCorporation at the House of Lords on 20 May 2009 Will Hutton, Vice-Chair of the Work Foundation spoke on corporate governance and corporate responsibility. Will said that companies need to have a much clearer statement…
GoodCorporation’s second Business Ethics Debate to be held in Paris looked at whether or not business ethics can be said to add value to an organisation, or is it simply another cost that must be borne? In the introduction to…