Organisations across Europe and beyond have only just finished preparing for the General Data Protection Regulations (GDPR) – tough new rules which fundamentally change the way data is processed, stored and deleted.
The European Commission regulations bring heavy fines of up to four per cent of global turnover for losing sensitive customer information. Any processing of personal data must be justified and any data not being actively used should be deleted.
Systems must be designed from the ground up with privacy and data protection in mind. The old ways of putting processes in place afterwards are no longer good enough.
The rules cover not just European businesses but any organisation in the world which deals with data belonging to any European citizen or organisation. But the British government has announced plans to put in place its own rules as part of the UK’s departure from the European Union.
The difficulty is that the Data Protection Bill will have to quite closely follow GDPR in order for UK businesses to keep trading with Europe. Equally many companies around the world trade into Europe via the UK and they too will have to follow GDPR.
There’s no doubt there is a need for stronger rules to deal with the data rich world in which we now live. But the constant change makes life difficult for organisations trying to comply with a shifting set of rules.
However Colin Truran, Principle Technology Strategist at Quest, interviewed for a recent CBR video interview, stressed that the change was an opportunity as well as a risk for British business.
He said: “The media has been focusing on the extensive penalties that are coming in, but also the litigation and class action risks. But beyond this there is a fantastic opportunity for businesses to disrupt the market, to become much better to provide the facilities and the protection that data subjects require.
“They can become outstanding and uphold what we really need in today’s data-rich, over-sharing environment. They can turn this into a competitive advantage, and that’s how they should be viewing it and budgeting for it.”
Organisations are in a tough position because they need to put protections in place now to meet GDPR which will likely come into force before the new Data Protection Bill is passed into law. But it is likely that UK regulations will follow GDPR fairly closely anyway, certainly in its basic premises.
These include reducing the differences between data processors and data owners – every organisation dealing with data will have very similar responsibilities both with data they hold themselves as well as ensuring any partner organisations are also following the rules. GDPR puts data subjects back in charge of their own data. Marketing organisations will need to toughen up opt-in and permission processes for all data they collect or keep.
Two potential exemptions mentioned by the Data Protection Bill are for reducing restrictions UK based academic processors of data and some financial services.
The UK will not want to create rules which isolate it from the rest of Europe so the new legislation is likely to build from the baseline of GDPR. Truran noted that businesses do not have to face the changes on their own. Industry organisations can offer industry-specific advice.
The Information Commissioner’s Office is also a good source for best practice as well as dealing with specific enquiries.
There are specific responsibilities for senior management – including the appointment of one individual, the data protection officer, who will quite have to take personal responsibility in case of mistakes and data breaches – GDPR offers prison sentences for serious failures.
Regardless of whether your business chooses to follow GDPR or the Data Protection Bill there is no doubt that regulators around the world are taking data privacy and protection far more seriously.
International data sharing agreements will become more complex and the issue as a whole has to be taken far more seriously than it might have been in the past. Using old databases, or even still storing them, could lead to harsh penalties.
A vital first step is for organisations to ensure that all staff are properly trained to understand the increasing sensitivity which the new rules require. Just as cyber security is now seen as an important part of everyone’s job responsibilities, now privacy and data protection needs to be taken equally seriously.
But the good news is that there will be rewards for companies which get the right policies in place. Not just in avoiding the heavy penalties for failure but in winning new customers by making your organisation a beacon of best practise for transparent and effective data management and protection.
To see the video interview follow this link: https://business-review-vodcasts.com/cbr-quest-2/