General Data Protection regulation? by David Preece, Partner, FBC Manby Bowdler

Time to put data front and centre, says David Preece, Partner, FBC Manby Bowdler. Data protection is a rather dry subject that is getting a new lease of life because it’s going to be on the lips of everyone in business very, very soon. Most business owners and managers are familiar with the Data Protection Act. Since the original Act in 1994, and later revisions, it has governed how businesses store, protect and manage data. That’s all about to change in a big way though, and manufacturers need to be able to show they have addressed those changes and are working to the new regulation from May 25th 2018. The General Data Protection Regulation (GDPR) is European law which actually entered onto the statute books in May 2016 but it will affect everyone from next year, when enforcement begins.

Data protection: reach extended and claws sharpened

Crucially, GDPR goes much further than the Data Protection Act. It does so with the aim of bringing the use of personal data in line with the times we live in, where data is currency in its own right and there is so much of it being collected and shared that the abuse of it is ever more likely. In fact, those who framed the regulation at the European level argue that it is as much about enabling those who store and process data to legitimately make a commodity of it, without rampaging over the rights of every person they hold information on. One of the key considerations of the regulation being enforced from next May is that its new penalties will come into force – and they are potentially devastating compared to what we have now. There are two tiers: the first is up to €10m or two per cent of a company’s global turnover of the previous year, whichever is the higher; the second is up to €20m or four per cent of the previous year’s turnover, again, whichever is higher. This is a significant difference to the fines the Information Commissioner’s Office can currently levy. Taking a high profile example: Talk Talk’s 2016 fine of £400,000 for allowing hackers to access customer data would have rocketed to £59m under GDPR. Figures like that should be enough to make anyone pay attention.

Key things to know about GDPR

  • Enforcement begins on May 25th, 2018
  • You must have clear consent (and a record of that consent)
  • You have a duty to notify the Information Commissioner’s Office (ICO) if you become aware of data breaches
  • The subjects of your data have the right to access it or ask you to send it elsewhere
  • Penalties go up to €20m of four per cent of turnover, whichever is higher

Brexit won’t blow it all over

David Preece, Partner, FBC Manby Bowdler


Often one of the first questions asked on this topic is whether it should really be taken seriously, given that we as a country are on a course to leave the EU. The only answer is that these laws are due to be implemented before our leave date in 2019 and, even then, are likely to be adopted either in their entirety or as a version that closely resembles the European regulation. In any case, if you continue to handle the data of EU residents, you will need to comply with the full rules.
The next natural query is: what’s so different about GDPR? You could say it’s a root and branch reappraisal of the methods of collecting, storing, sharing and protecting data.
There is much more focus on whether and how permission to store and use the data was gained, ensuring it remains accurate, giving the subject the right to access it or to ask you to share it elsewhere and, critically, the steps you take to protect it.
It is very hard to think of a business that would not need to take action around GDPR. From the basic collection and use of email addresses for mailing lists all the
way through to more sensitive data, such as personal, financial or health records that manufacturers may hold on staff, there are steps that must be taken and new practices that have to be introduced, if you are not to get caught out.

Action to take

You need to consider who has access to data and whether they are able to move it around. Yes, laptops and mobile devices are an area of risk (in this and other ways), but you even need to be considering the rather more complex issue of Internet of Things devices – the internet-connected equipment (such as TVs, security cameras, wireless switches, etc, etc) which might provide an unex- pected risk to the cyber security of your business or even have the potential to leak sensitive data themselves.

“One of the key considerations of the regulation being enforced from next May is that its new penalties will come into force – and they are potentially devastating compared to what we have now.”

This can all seem to be a very big, complex and somewhat daunting job, especially for manufacturing SMEs who will not be in a position to hire their own specialists or form a department to deal with the implications and implementation.
However, the manufacturing sector businesses that deal with this well will be the ones who also embrace it as an opportunity. Many are sitting on a vast wealth of data that they are not recog- nising and making good use of. It could represent better intelligence about their customers and their habits, or it could be management data which can be leveraged to make the organisation more e cient and, therefore, pro table.
In fact, with the proper controls and safeguards in place, you may discover you have data that can be shared with third parties for profit, legitimately, and with the permission of the subjects.
There are many hurdles to clear in order to arrive at such a position, though, and the last thing anyone should be doing now is taking this lightly. A bit of ddling around the edges will not protect you from falling foul of this regulation.

Drastic steps

Some larger businesses are taking quite dramatic steps in preparation for GDPR enforcement, as they realise what a mine field some of their data represents. Pub chain J D Wetherspoon actually deleted a customer email database of more than 650,000 addresses rather than validate that it had permission to hold them all; a process that which holds its own pitfalls.
Other companies have been hit with signifficant fines for simply emailing people on their lists to ask if their information is up-to-date! In the case of Honda, that ran to £13,000 because it held no information on whether the recipients had ever opted in to its lists in the first place – and remember, those nes would be many times larger under GDPR.
The steps you need to take will vary by business type and we couldn’t hope to cover them here. Fundamentally, you need to ensure that everyone in your business is aware of the changes and the care with which data must be treated.
You need to assess what data you have, how it was obtained, whether you still have the right to have or use it and who you share it with. You need systems to log how and when your data is used and by whom, ways to ensure requested corrections and updates are made in a timely and accurate fashion (and shared with third parties who may also have that data) and a process to clearly and efficiently make information available in full to the people it is about if they ask.

Security: avoid expensive mistakes

Extremely importantly, you must take great care of data security. Breaches and losses of data are where the really big fines will be levied. The less care and preparation you have done, the more harsh the penalties are likely to be.
It’s highly likely that most businesses will need expert support to meet their GDPR obligations and the clock is now very much ticking. If you do not already have preparation in hand or know where your knowledge will come from, start talking to your professional advisors now. Right now.
Data, now, is at the heart of the economy. Every business is expected by law to take its responsibilities for data and the people it represents very seriously. The penalties for failure to do this will quite likely see the destruction of some businesses; you may argue that, by failing to prepare, they will have brought this on themselves. After two years of transition, ignorance will be no defence.