On 15 December 2015, the European Parliament, Council and Commission reached agreement on new data protection rules, establishing a modern and harmonised data protection framework across the EU. The Regulation was adopted by the European Parliament on 14 April 2016 with the new rules becoming applicable after two years to all members of the EU. And despite the Leave vote, the UK has confirmed that a General Data Protection Regulation (GDPR) is on track to come into force in the UK on 25 May 2018.
Under the EU framework serious violations will mean a penalty of €20m or 4% of global turnover, whichever is greater.
The move to comply with the new Regulation will require significant changes to how customer data is handled and will affect businesses in a number of ways. It will require accurate maintenance of documentation of customer data and systems recording the exact method and details of customer consent. Customer consent must now be freely given, specific, informed, and unambiguous. Organisations must be able to show how and when consent was lawfully obtained.
Customers have a right to opt out of any form of automated evaluation, for example, credit scoring. They can assert this right at any time, for example, after they have taken out a mortgage. Under the GDPR customers have a ‘right to be forgotten’ ie, to have their personal data permanently erased. There must be a reliable business process for data erasure.
Companies in possession of the data must also notify other holders of the data that consent has been withdrawn and data should be erased. Data erasure can be difficult due to backups, multiple systems and cloud storage.
How to keep data secure
According to the Office for National Statistics, cyber-crime is the most prevalent and prolific threat to UK citizens today, emphasising the importance of ensuring all staff are adequately trained to understand the precautions required to protect your business. The Information Commissioner’s Office has already produced guidance for SMEs on IT security which you can find here
Undertaking a data protection health check on the treatment of data in your business will help you identify any potential risks of non-compliance or vulnerabilities.
Please contact us if you would like to discuss this further.