Data on people is highly valuable and used by organisations for a variety of legitimate purposes, not least for targeting business marketing, but also for providing advice or monitoring health as well as other purposes such as for research.
But such information is also valuable for those with less honourable motives and rarely a week passes without news of an organisation’s database being stolen or “hacked” for nefarious purposes.
Any business that holds information about people must be registered with the Information Commissioner’s Office and must comply with the Data Protection Act 1998 which focuses on the use of such data. This is about to be updated to also focus on the security of data.
GDPR, the new EU-wide data protection legislation
The Data Protection Act 1998 will be updated by the GDPR (General Data Protection Regulations) which comes into effect on 25 May 2018 and imposes huge obligations on Controllers and Processors of Personal Data with scope for large fines.
The UK Government has confirmed that it will comply with GDPR regardless of the decision to leave the EU.
GDPR is designed to improve consistency in protecting and strengthening consumers’ rights over their personal data, although work is continuing on refining the regulations.
Even the smallest SMEs hold and process data on individuals. They are subject to GDPR and will be required to document decisions that are made about processing and the security of that data. This means showing that the data has been lawfully collected for specified and legitimate purposes, and that the details of what has been collected are specific and limited to those purposes.
The information must be protected, held securely and stored for no longer than required.
Businesses should be looking at their data collection, storage and processing systems to be ready in time for the new regulations. This is especially important for those using CRM (Customer Relationship Management) systems and for those collecting information via their websites.
They must have permission from the individual concerned that they can collect and hold personal information and be able to prove they have permission. This is a specific opt-in requirement where the current assumption of silence or pre-ticked boxes will no longer be deemed as consent.
Among several rights businesses must give individuals are a right of access to and correction of the information being held, the right to its removal and to restricting it and the right to object. So, they will need to put in place acceptable governance to ensure all these rights are acted on, on request and in a timely manner. Businesses will also be required to appoint a designated Date Protection Officer (DPO).
Opt-outs from the regulations, known as derogation, will be allowed only in some situations – such as for national security reasons.
Failure to comply can result in fines of up to €20million or 4% global turnover whichever is the greater. Compare this with the £400,000 fine imposed on Talk Talk for failing to implement the most basic cyber security measures as a breach of the seventh principle of the Data Protection Act, following the theft of personal information it held on 150,000 customers.