Data Protection was introduced as a legal concept, beyond confidentiality rules in 1998 when the Data Protection Act was passed and the ICO was set up.
At Christmas 2017 there were about 100 employees at the ICO. When the changes to the rules are introduced on 25 May, the ICO will have recruited 300 more employees. In these stringent times, the government would not be increasing staff unless it hoped to make a profit. The way it will make a profit will be to fine non-compliant businesses.
So what is this data that needs to be protected?
Anything that can identify a person such as name, ID, location data, online identity, phone numbers, email addresses.
This data is what businesses hold about every one of us, as employees and customers. Our information needs to be protected. Every business that has this information must be registered with the ICO, must have a protocol and data plan, must protect the information it holds and must allow access to that information. This is done by each company’s Data Controller and Data Processors who must be trained in data usage.
Data must be kept in a lawful way, for a specific reason and protected at all times. Individuals have rights that must be upheld by Data Controllers. Everyone who is an employer or provides services to the public or accepts services from the public will hold personal data. The data must be stored safely, kept no longer that necessary and the data controller will be accountable for any breaches. You must have a lawful valid reason for holding the data.
Lawful reasons include consent, necessity or if there is a legal obligation. Some businesses think that this last reason is a catch all in that they have contracts with suppliers, customers, and employees and so it is necessary to keep their data. However, this would not cover sending out Christmas cards or telling people about new offers and services. Anything beyond the legal contract is not covered and so the safest way for businesses to protect themselves is to get clear and positive consent. The tick box saying you are happy to receive emails on future offers is unlikely to be adequate. People need to know what they are signing up for.
And so, what needs to be considered is why you have the information and what do you need it for. Questions to ask include who benefits from the data, what is the relationship between the parties and is the data subject likely to object? These questions should be asked by staff that have had training in Data Protection and have the responsibility to use the data and understand the importance of keeping data safe. What businesses need is to undertake a data audit, check protocols and assess risks.
Loss of data must be reported and can result in fines, but failure to report will result in a bigger fine. The reason for GDPR is so in vogue at present is the sizes of fines now available to the ICO.
In 2016, you may recall that Talk Talk had a data breach when a 14-year-old hacker managed to get into the records of all the company’s residential customers. The 14-year-old has, by committing this offence, probably secured himself a high paying job with a bank or the security services. But the ICO gave the biggest fine ever of £400K to Talk Talk. Not surprisingly the company took this all very seriously and now every member of staff with access to data is given quarterly training, all staff have had training about their data responsibilities and if you do business with Talk Talk, they are the most data compliant business in the country. The fine was effective. However, had the breach occurred on 26 May this year, the fine could have been 51 Million, perhaps enough to close the company down or at least affect dividends for several years. And remember these fines of up to £20,000,000 can be for each breach. The fines can soon mount up and the ICO have draconian powers under GDPR
What needs to be done?
Review your protocol, develop responses and consider safety.
Update your employment records and ask data subjects for consent. The ICO has said that this is evolution not revolution and so if you are compliant with current data protection rules, it is a matter of tweaking and bringing them up to date. If you are not, then you have a lot of work to do in the next two months.
The days of receiving two emails a day from big retailers are numbered. I recall having to pick up a late instruction from a colleague whose plane had been delayed in Eastern Europe. This was regarding the sale of part of a company and I found out at 9.30 that the meeting at 10.30 included two lawyers who had travelled over from Germany. I was wearing a rugby shirt and a pair of jeans. I went across the road to a big retailer and bought a suit and tie and as this was £300 I wasn’t expecting to spend that morning, I applied for the store card for a 10% discount. I have not been to the shop since, but I still get weekly emails about their offers. From the 25 May they are going to have to ask me nicely before sending the emails.
The irony is that come 26 May, asking for permission will be in breach of the regulations because you will be using data without consent for a reason that may not be necessary.