[title size=”4″]General Data Protection regulation? by David Preece, Partner, FBC Manby Bowdler[/title]
- Enforcement begins on May 25th, 2018
- You must have clear consent (and a record of that consent)
- You have a duty to notify the Information Commissioner’s Office (ICO) if you become aware of data breaches
- The subjects of your data have the right to access it or ask you to send it elsewhere
- Penalties go up to €20m of four per cent of turnover, whichever is higher [/content_box]
[title size=”2″]Brexit won’t blow it all over[/title]
Often one of the first questions asked on this topic is whether it should really be taken seriously, given that we as a country are on a course to leave the EU. The only answer is that these laws are due to be implemented before our leave date in 2019 and, even then, are likely to be adopted either in their entirety or as a version that closely resembles the European regulation. In any case, if you continue to handle the data of EU residents, you will need to comply with the full rules.
The next natural query is: what’s so different about GDPR? You could say it’s a root and branch reappraisal of the methods of collecting, storing, sharing and protecting data.
There is much more focus on whether and how permission to store and use the data was gained, ensuring it remains accurate, giving the subject the right to access it or to ask you to share it elsewhere and, critically, the steps you take to protect it.
It is very hard to think of a business that would not need to take action around GDPR. From the basic collection and use of email addresses for mailing lists all the
way through to more sensitive data, such as personal, financial or health records that manufacturers may hold on staff, there are steps that must be taken and new practices that have to be introduced, if you are not to get caught out.
[title size=”2″]Action to take[/title]
You need to consider who has access to data and whether they are able to move it around. Yes, laptops and mobile devices are an area of risk (in this and other ways), but you even need to be considering the rather more complex issue of Internet of Things devices – the internet-connected equipment (such as TVs, security cameras, wireless switches, etc, etc) which might provide an unex- pected risk to the cyber security of your business or even have the potential to leak sensitive data themselves.
“One of the key considerations of the regulation being enforced from next May is that its new penalties will come into force – and they are potentially devastating compared to what we have now.”
This can all seem to be a very big, complex and somewhat daunting job, especially for manufacturing SMEs who will not be in a position to hire their own specialists or form a department to deal with the implications and implementation.
However, the manufacturing sector businesses that deal with this well will be the ones who also embrace it as an opportunity. Many are sitting on a vast wealth of data that they are not recog- nising and making good use of. It could represent better intelligence about their customers and their habits, or it could be management data which can be leveraged to make the organisation more e cient and, therefore, pro table.
In fact, with the proper controls and safeguards in place, you may discover you have data that can be shared with third parties for profit, legitimately, and with the permission of the subjects.
There are many hurdles to clear in order to arrive at such a position, though, and the last thing anyone should be doing now is taking this lightly. A bit of ddling around the edges will not protect you from falling foul of this regulation.
[title size=”2″]Drastic steps[/title]
Some larger businesses are taking quite dramatic steps in preparation for GDPR enforcement, as they realise what a mine field some of their data represents. Pub chain J D Wetherspoon actually deleted a customer email database of more than 650,000 addresses rather than validate that it had permission to hold them all; a process that which holds its own pitfalls.
Other companies have been hit with signifficant fines for simply emailing people on their lists to ask if their information is up-to-date! In the case of Honda, that ran to £13,000 because it held no information on whether the recipients had ever opted in to its lists in the first place – and remember, those nes would be many times larger under GDPR.
The steps you need to take will vary by business type and we couldn’t hope to cover them here. Fundamentally, you need to ensure that everyone in your business is aware of the changes and the care with which data must be treated.
You need to assess what data you have, how it was obtained, whether you still have the right to have or use it and who you share it with. You need systems to log how and when your data is used and by whom, ways to ensure requested corrections and updates are made in a timely and accurate fashion (and shared with third parties who may also have that data) and a process to clearly and efficiently make information available in full to the people it is about if they ask.
[title size=”2″]Security: avoid expensive mistakes[/title]
Extremely importantly, you must take great care of data security. Breaches and losses of data are where the really big fines will be levied. The less care and preparation you have done, the more harsh the penalties are likely to be.
It’s highly likely that most businesses will need expert support to meet their GDPR obligations and the clock is now very much ticking. If you do not already have preparation in hand or know where your knowledge will come from, start talking to your professional advisors now. Right now.
Data, now, is at the heart of the economy. Every business is expected by law to take its responsibilities for data and the people it represents very seriously. The penalties for failure to do this will quite likely see the destruction of some businesses; you may argue that, by failing to prepare, they will have brought this on themselves. After two years of transition, ignorance will be no defence.