Data protection and privacy rules are in a state of flux. UK businesses should be putting in place the very final touches to systems so that they are ready for the General Data Protection Regulations – an EU-wide change which comes into force from May next year.
But adding to the general uncertainty created by the United Kingdom’s withdrawal from the European Union the government has also promised to change domestic data protection rules once we are out of the EU.
In the short term the advice to UK firms is to carry on getting GDPR in place first.
The rules bring about quite fundamental changes in how data is treated whether your organisation is a processor or a data owner. It also brings in hefty fines of up to four per cent of global turnover and even prison sentences for executives at companies which get it wrong.
Exactly how the new UK rules will differ from GDPR remains to be seen. The Data Protection Bill was presented to Parliament last month and will be changed as it goes through Lords and Commons committees.
The Data Protection Bill will add onto to GDPR but not entirely replace it – it covers areas like national security not addressed by GDPR as well as defining exactly how the European law will work in the context of the United Kingdom.
But it seems likely that there will be slightly greater leniency for academic organisations and for financial services in how they store and process data.
The reality is that both sets of rules are pushing in the same direction – strengthening personal control of data.
Whatever the details of the new bill organisations need to prepare now using the same processes which they used to get ready for GDPR.
The first step is making sure the relevant staff know that the changes are coming and what they will need to do to comply with the new rules.
The next step is mapping exactly what data your business stores and processes and where and how it is kept.
Once that is done you must ensure you have a lawful reason to store or process this data. The definition of processing is much broader so any systems which automatically collect information or shift it between databases or storage systems may be considered processing.
This might also require you to update or rewrite any consent agreements which form part of contracts, sign-up processes on websites or for marketing campaigns.
The next step is deciding what data you can keep and what data will either need to be deleted or will need fresh consent from individuals or businesses so that it can continue to be used.
There is no doubt that the changes do increase responsibilities for British businesses.
But there is also an opportunity for firms to demonstrate they take data protection seriously and make it a competitive advantage.
There is a chance for businesses to become beacons of best practise and win customers away from firms which are slow to change.
The new rules might seem like an irritating bureaucratic overload but they also reflect both the reality of today’s data-centred business world and also the public’s increasing understanding of the importance of data protection and privacy.
Data is central to every business today so getting housekeeping right is a vital first step in ensuring that your organisation is not just complying with the law but also providing a service which is fit for purpose.
Only by getting this right will your infrastructure be fit and able to make the best use of the data the business holds without risking its reputation or an expensive run-in with the regulators.
There is a useful introduction to ensuring compliance from the ICO here:
https://ico.org.uk/media/for-organisations/documents/2014918/dp-bill-12-steps-infographic.pdf