People’s personal information – from names and addresses to a customer’s buying habits – is incredibly valuable to organisations; so much so that data is often referred to as ‘the new money’.
But while its value rises, data is also becoming more vulnerable. Recent high profile data breaches show us how easy it is for the personal information organisations hold on us to fall into the wrong hands. From poor security, staff mistakes and vulnerable software to a lost USB stick, there are many ways that data can be put at risk.
The current law, the Data Protection Act, was introduced in the UK in 1998 and is widely thought to be unfit for purpose. The internet, Google and widespread email communication as standard did not happen across the business sector until a few years later, and certainly the sophisticated uses of technology we are now seeing in relation to profiling consumer spending patterns had not even been imagined at that time.
Set against this backdrop, the data protection law is now changing. A year from today a new law will be in force – the General Data Protection Regulation (GDPR) – which represents a seismic shift in the way organisations, large and small, can use your personal data. The legislation is EU-wide, but the UK government has confirmed it will be implemented in full here across all sectors, despite the recent Brexit vote. For many organisations this new law will necessitate huge changes to the way their internal process are run and they now only have a year to get their house in order.
The exploitation of data and consumer profiling is a hugely profitable industry. More and more businesses will be looking at sophisticated ways to target potential customers. For this to happen it is likely that data will be shared between several organisations including sub-contractor software companies all of whom will need to be aware of how to share data legally. The GDPR is the first law to directly regulate this profiling environment and will mean many companies need to re-evaluate the permission they have been seeking from customers to analyse their behaviour.
So what is going to change? One of the biggest changes is the punishment that organisations will face if they breach the new rules. Fines will increase from the current maximum of £500,000 up to €20 million or 4% of worldwide turnover (whichever is higher). Organisations may also be charged for failing to report a breach, as well as the breach of security itself.
It will become harder for organisations to obtain consent to use data – there will be no more implied consent. This will have a drastic impact on businesses that collect customer data for marketing purposes, particularly online. For customers, it will mean more clarity and control over who can use your data and how they can use it.
The new law will give more rights to each of us to say how our data will be used – including the ‘right to be forgotten’ and to object to your data being used for profiling, as well as a strengthening of the existing rights to unsubscribe at any time from marketing emails and the right to request a full copy of the information held about you (known as a subject access request).
The GDPR will bring in ‘mandatory breach notification’ putting the onus on businesses to notify the authorities of any data breach quickly – within just 72 hours of discovering the breach.
Perhaps the greatest change in the law and the hardest for organisations to comply with will be the greater accountability requirements. The GDPR requires companies to be able to demonstrate, with comprehensive documentation and evidence, its compliance with the rules. Detailed internal written records of processing activities must be kept, including the purpose of the processing, the security measures used and the extra safeguards put in place for dealing with sensitive personal data (including information on people’s health, religion, race and sexual orientation).
Organisations need to start getting ready for the GDPR now. Steps include preparing for security breaches by putting in place procedures to react quickly to a breach and ensuring IT systems are robust enough to withstand hacking as much as possible. Organisations should also review all of their data processing activities, including employee data, supplier data, customer data and all historic data that may be held on their systems and carry out a thorough audit – data protection will need to be at the heart of every project. They may need to change the way they collect, store, use and share data.
Although the legislation is still a year away from coming into force, many businesses will need that long to get ready for the major changes that are on the horizon.