For many modern businesses, collecting personal data is essential, whether for driving your products and services, staying in touch with customers or promoting your brand. Yet by holding this data, you're also exposed to a new level of risk, and it's your responsibility to keep your customers' details safe, secure and use them responsibly.
You only need to look at recent high profile data breaches, such as Yahoo!,Tesco Bank and Three Mobile, to understand the repercussions if customer data gets into the wrong hands. Investigations, fines and compensation payments could all be on the cards, not to mention the loss of your hard-won reputation.
That's why it's so important to comply with data protection legislation, to keep customer data as safe as possible, while also respecting consumer rights. All businesses in the UK must currently comply with the 1998 UK Data Protection Act, although in March 2018 this will be replaced by the EU GDPR (EU General Data Protection Regulation).
While the requirements of the EU GDPR are broadly the same as those currently in force, there are a number of enhancements. The potential fine for non-compliance will also rise to €20m – up from £500,000 under the current legislation – so if you're not already on top of your responsibilities, now is the time to act.
Here's an outline of your current data protection responsibilities and the key changes under the EU GDPR:
- What data is covered? Personal data is anything that can be used to identify an individual, including their name, email address, telephone number, date of birth or anything more specific such as an IP address, GPS data or health information.
- Register with the ICO: Before you do anything, you must inform the Information Commissioner's Office (ICO) that you are planning to collect, store and/or use personal information. You can find out more about registering with the ICO here. There are a few exceptions, but most businesses will need to register.
- There are a number of key principles that you must comply with:
- Process data justly and fairly: You must have a good reason for storing and using personal data. The data may well be necessary to providing your product or service – therefore incorporated in your contract with the client – or the customer must have given their permission for you to store and use it. And it should be an 'opt in' rather than an 'opt out' – no sneaking a tiny opt-out box where nobody can read it!
- Data must be adequate and not excessive: You should only hold as much information on individuals as you need. Anything you don't need should be destroyed.
- Personal data should be accurate and up-to-date: If you're holding a lot of data, it may be tricky to ensure it's all completely accurate. But you need to take reasonable steps to ensure it is as accurate and up-to-date as possible, putting processes in place to update or destroy old or inaccurate records.
- It shouldn't be kept longer than necessary: There is no minimum or maximum length of time that you can keep personal data, but you should consider how long you need it and destroy it once it's fulfilled its purpose. This also helps with point four, as it reduces the chance of you holding out-of-date, inaccurate data.
- Security: You must have sufficient security to avoid data being either deliberately or accidentally compromised, including both technical security and robust processes and procedures, including training your staff sufficiently. You must also be ready to respond to a breach if the worst happens.
- It should be processed in accordance with individuals' data rights: There are now eight rights to be aware of, enhancing on the six listed in the DPA. These cover an individual's right to have access to their data, have it erased, restrict usage and move it from one IT provider to another. Companies also have less time to comply with customer requests than under the DPA – only one month, rather than 40 days.
- Accountability: This aspect of the law has been strengthened significantly in the GDPR, stating that businesses must put in place measures to show that they are complying with the rules. This includes tools such as internal data protection policies, staff training, internal audits, and reviews of internal HR policies. The idea is to carry our 'privacy by design', whereby data protection is hardwired into the processes and behaviours of the organisation. If you carry out large-scale tracking of individuals, or processing of specialist data then you will also need to appoint a Data Protection Officer.
These are the key points to think about, and overall it amounts to good practice around data. Most of it you're probably doing already, but the key moving forward is to create documentation proving that's the case. If you need more detail on the requirements of the GDPR and your responsibilities, you should consult the ICO.
And don't forget, if the worst does happen, cyber insurance can protect you for a breach of data protection laws (where insurable by law) and your liability for handling data. It can also provide cover for extortion, system rectification costs, plus PR expenses and financial loss due to system downtime. To find out more, drop us a line at firstname.lastname@example.org, or give us a call on 0333 772 0759.