From 25th May 2018, Brexit or not, the EU-GDPR comes into enforcement in the UK and with it an Information Commissioner’s Office with a bite that’s going to be as bad as its bark.
In fact, a bite that will take out a chunk the size of 4% of global annual turnover or €20m (whichever is greater) for those with a blatant disregard. That is going to hurt far more than the fines the ICO can issue today.
These days unless you live “off-grid”, or are an anti-digital individual (in which case you’re probably not reading this), you will willingly share personal information with your smartphone and the apps that reside on it without so much as a second thought.
You probably also share your personal data with your local council, government and other organisations you trust, which is good. We get a lot of benefit and productivity from sharing data. But like all good things, there are some people who want to exploit it and others who just don’t know how to handle it.
Our data protection rights, enshrined in the Data Protection Act 2009, are there to protect us and provide a legal framework upon which organisations are obligated to execute that protection.
This becomes even more pertinent in our technology driven world, where personal data is no longer limited to name and address, but now includes GPS, biometric and even genetic data – and it doesn’t get much more personal than that. New vulnerabilities are created and exposed as organisations seek to use and exploit this data. With ever more sophisticated attempts to hack both public and private companies, large scale data breaches are hitting the headlines on a regular basis.
Let’s be clear on this. All organisations are going to be hacked in some way and at some point, and this will trigger an investigation by the ICO. Making sure technology vulnerabilities are addressed is an important aspect of protecting personal and corporate data. But ensuring you have customer consent to use their personal data in the first place should be front and centre.
One of the biggest impacts from the implementation of the EU-GDPR will be the reduction of time organisations have to respond to citizens who express their right to see what personal data is held about them. The challenge for many organisations is firstly identifying what data it has and then recording where and how it is stored. Quite often it isn’t straight forward, with data being held or stored in more than one place.
Successful organisations will have a culture that supports data security with dedicated employees and resources that go beyond simply establishing a set of data protection policies or guidelines. Privacy by design needs to be a part of any organisational culture, as well as being embedded within new systems, services and product designs.
Ahead of the EU-GDPR being introduced, leading organisations are already taking a look at their company culture and policies on data protection and at the very least are conducting a data audit to ensure compliance. The ICO has useful guidance on compliance and there a number of companies offering one day courses on the EU-GDPR basics for teams responsible for looking after data.
The large-scale and second data breach announced by Yahoo last week serves to remind us all that no organisation can afford to cut corners in protecting their customers’ data. To be trusted by your customers with handling their data requires dedication at every level of your operation and quite often supported by expert guidance.
Now is the time to respond to this very real and immediate requirement by transforming your data handling and storage procedures to ensure they stand up to scrutiny.
Contact firstname.lastname@example.org for more details.