General Data Protection regulation? by David Preece, Partner, FBC Manby Bowdler
Data protection: reach extended and claws sharpened
Brexit won’t blow it all over
Often one of the first questions asked on this topic is whether it should really be taken seriously, given that we as a country are on a course to leave the EU. The only answer is that these laws are due to be implemented before our leave date in 2019 and, even then, are likely to be adopted either in their entirety or as a version that closely resembles the European regulation. In any case, if you continue to handle the data of EU residents, you will need to comply with the full rules.
The next natural query is: what’s so different about GDPR? You could say it’s a root and branch reappraisal of the methods of collecting, storing, sharing and protecting data.
There is much more focus on whether and how permission to store and use the data was gained, ensuring it remains accurate, giving the subject the right to access it or to ask you to share it elsewhere and, critically, the steps you take to protect it.
It is very hard to think of a business that would not need to take action around GDPR. From the basic collection and use of email addresses for mailing lists all the
way through to more sensitive data, such as personal, financial or health records that manufacturers may hold on staff, there are steps that must be taken and new practices that have to be introduced, if you are not to get caught out.
Action to take
“One of the key considerations of the regulation being enforced from next May is that its new penalties will come into force – and they are potentially devastating compared to what we have now.”
This can all seem to be a very big, complex and somewhat daunting job, especially for manufacturing SMEs who will not be in a position to hire their own specialists or form a department to deal with the implications and implementation.
However, the manufacturing sector businesses that deal with this well will be the ones who also embrace it as an opportunity. Many are sitting on a vast wealth of data that they are not recog- nising and making good use of. It could represent better intelligence about their customers and their habits, or it could be management data which can be leveraged to make the organisation more e cient and, therefore, pro table.
In fact, with the proper controls and safeguards in place, you may discover you have data that can be shared with third parties for profit, legitimately, and with the permission of the subjects.
There are many hurdles to clear in order to arrive at such a position, though, and the last thing anyone should be doing now is taking this lightly. A bit of ddling around the edges will not protect you from falling foul of this regulation.
Other companies have been hit with signifficant fines for simply emailing people on their lists to ask if their information is up-to-date! In the case of Honda, that ran to £13,000 because it held no information on whether the recipients had ever opted in to its lists in the first place – and remember, those nes would be many times larger under GDPR.
The steps you need to take will vary by business type and we couldn’t hope to cover them here. Fundamentally, you need to ensure that everyone in your business is aware of the changes and the care with which data must be treated.
You need to assess what data you have, how it was obtained, whether you still have the right to have or use it and who you share it with. You need systems to log how and when your data is used and by whom, ways to ensure requested corrections and updates are made in a timely and accurate fashion (and shared with third parties who may also have that data) and a process to clearly and efficiently make information available in full to the people it is about if they ask.
Security: avoid expensive mistakes
It’s highly likely that most businesses will need expert support to meet their GDPR obligations and the clock is now very much ticking. If you do not already have preparation in hand or know where your knowledge will come from, start talking to your professional advisors now. Right now.
Data, now, is at the heart of the economy. Every business is expected by law to take its responsibilities for data and the people it represents very seriously. The penalties for failure to do this will quite likely see the destruction of some businesses; you may argue that, by failing to prepare, they will have brought this on themselves. After two years of transition, ignorance will be no defence.