Whether or not the UK stays or leaves the European Union, new data protection laws will still apply to your business if you deal with others in the EU. This year the Network and Information Security Directive (NISD) is due to come into force, followed by the General Data Protection Regulation (GDPR) in 2018.
Only half of UK IT decision-makers are aware of the coming EU General Data Protection Regulation, compared with 87% in Germany, according to a survey by Trend Micro.
UK data protection laws have remained fairly static over the last 20 years, the existing UK Data Protection Act dates from 1998. Yet the digital technological landscape has changed dramatically in this time and data breaches have become an all too common occurrence in recent years. To this end the GDPR sets out to address this gap between the law and technology and, as stated above, even if the UK leaves the EU any company that wishes to do business in EU will need to comply.
Planning For New EU Data Protection Regulations
Taking a gamble on Brexit is probably not advisable even if your organisation is focused solely on business in the UK and outside the EU. In fact it is sensible that UK businesses start to plan for this new regulation now. When it comes into force in 2018 there will be a two year adoption period, after which it becomes enforceable across all EU countries by data protection authorities and the courts. Two to three years is not a long time to address key changes and put best practice in place, which is why we are already advising our clients on data protection with GDPR in mind.
What do you need to consider and start planning for?
The following points increase the obligation on organisations to protect their data, and systems will need to be put in place to comply:
- Accountability: GDPR will mean that organisations must be able to demonstrate compliance with data protection requirements through adopting and implementing policies and procedures such as Privacy Impact Assessments, designing privacy using encryption to protect personal data, and keeping records of personal data use within an organisation
- The ‘right to be forgotten’: Organisations will need to be able to erase all an individual’s personal data on request, with some exceptions
- Customer profiling: Restrictions on profiling of individuals – the right for an individual not to be subject to a decision based on automated profiling – for example profiling based on employment, location, financial information etc. The exception is if the organisation can prove a statutory basis for profiling, such as crime prevention
- Consent: Organisations using personal data analytics must also ensure that an individual’s data is freely given, requested in clear and plain language, and allow individuals to see a copy of the data you hold about them
- Data breaches: Mandatory reporting of any serious data breaches to the Information Commissioner’s Office (UK) within 72 hours
- Pseudonymous data: Currently UK data protection laws only relate to data that directly identifies the individual, or identifies them when combined with other data held by the data controller. The new regulations will mean that all data, whether it identifies an individual directly or indirectly will become ‘personal data’. This includes IP addresses and references numbers
Most likely you will already have spotted which of the new regulations will impact on your organisation the greatest, but here are some of the challenges we are now helping our clients with:
Compliance: We’ve helped a number of clients such as Marketing Sciences Unlimited, a market research agency; map out a range of services to address security audits and compliance in a business where data protection is paramount in all their dealings.
Data erasure: We’re helping companies manage their customers’ data more effectively across all their business systems so that should they receive a ‘right to be forgotten’ request, it will be possible to comply quickly and in accordance with GDPR regulations.
Data breaches: Organisations face hefty fines if they don’t report data breaches within the regulator’s timeframe. Our extensive experience working with companies on their business continuity planning includes putting in place procedures for accessing the severity of a data breach and reporting them accordingly.
If you would like to take part in one of our Discovery Workshops that address these issues and discuss how data protection regulations will impact your business, please register here or contact me directly for more information on firstname.lastname@example.org or 0845 507 0846.