GDPR – The Data Time Bomb
General Data Protection regulation? by David Preece, Partner, FBC Manby Bowdler
Most business owners and managers are familiar with the Data Protection Act. Since the original Act in 1994, and later revisions, it has governed how businesses store, protect and manage data.
That’s all about to change in a big way though, and manufacturers need to be able to show they have addressed those changes and are working to the new regulation from May 25th 2018.
The General Data Protection Regulation (GDPR) is European law which actually entered onto the statute books in May 2016 but it will affect everyone from next year, when enforcement begins.
Data protection: reach extended and claws sharpened
In fact, those who framed the regulation at the European level argue that it is as much about enabling those who store and process data to legitimately make a commodity of it, without rampaging over the rights of every person they hold information on.
One of the key considerations of the regulation being enforced from next May is that its new penalties will come into force – and they are potentially devastating compared to what we have now. There are two tiers: the first is up to €10m or two per cent of a company’s global turnover of the previous year, whichever is the higher; the second is up to €20m or four per cent of the previous year’s turnover, again, whichever is higher. This is a significant difference to the fines the Information Commissioner’s Office can currently levy.
Taking a high profile example: Talk Talk’s 2016 fine of £400,000 for allowing hackers to access customer data would have rocketed to £59m under GDPR. Figures like that should be enough to make anyone pay attention.
Brexit won’t blow it all over
Often one of the first questions asked on this topic is whether it should really be taken seriously, given that we as a country are on a course to leave the EU. The only answer is that these laws are due to be implemented before our leave date in 2019 and, even then, are likely to be adopted either in their entirety or as a version that closely resembles the European regulation. In any case, if you continue to handle the data of EU residents, you will need to comply with the full rules.
The next natural query is: what’s so different about GDPR? You could say it’s a root and branch reappraisal of the methods of collecting, storing, sharing and protecting data.
There is much more focus on whether and how permission to store and use the data was gained, ensuring it remains accurate, giving the subject the right to access it or to ask you to share it elsewhere and, critically, the steps you take to protect it.
It is very hard to think of a business that would not need to take action around GDPR. From the basic collection and use of email addresses for mailing lists all the
way through to more sensitive data, such as personal, financial or health records that manufacturers may hold on staff, there are steps that must be taken and new practices that have to be introduced, if you are not to get caught out.
Action to take
“One of the key considerations of the regulation being enforced from next May is that its new penalties will come into force – and they are potentially devastating compared to what we have now.”
This can all seem to be a very big, complex and somewhat daunting job, especially for manufacturing SMEs who will not be in a position to hire their own specialists or form a department to deal with the implications and implementation.
However, the manufacturing sector businesses that deal with this well will be the ones who also embrace it as an opportunity. Many are sitting on a vast wealth of data that they are not recog- nising and making good use of. It could represent better intelligence about their customers and their habits, or it could be management data which can be leveraged to make the organisation more e cient and, therefore, pro table.
In fact, with the proper controls and safeguards in place, you may discover you have data that can be shared with third parties for profit, legitimately, and with the permission of the subjects.
There are many hurdles to clear in order to arrive at such a position, though, and the last thing anyone should be doing now is taking this lightly. A bit of ddling around the edges will not protect you from falling foul of this regulation.
Other companies have been hit with signifficant fines for simply emailing people on their lists to ask if their information is up-to-date! In the case of Honda, that ran to £13,000 because it held no information on whether the recipients had ever opted in to its lists in the first place – and remember, those nes would be many times larger under GDPR.
The steps you need to take will vary by business type and we couldn’t hope to cover them here. Fundamentally, you need to ensure that everyone in your business is aware of the changes and the care with which data must be treated.
You need to assess what data you have, how it was obtained, whether you still have the right to have or use it and who you share it with. You need systems to log how and when your data is used and by whom, ways to ensure requested corrections and updates are made in a timely and accurate fashion (and shared with third parties who may also have that data) and a process to clearly and efficiently make information available in full to the people it is about if they ask.
Security: avoid expensive mistakes
It’s highly likely that most businesses will need expert support to meet their GDPR obligations and the clock is now very much ticking. If you do not already have preparation in hand or know where your knowledge will come from, start talking to your professional advisors now. Right now.
Data, now, is at the heart of the economy. Every business is expected by law to take its responsibilities for data and the people it represents very seriously. The penalties for failure to do this will quite likely see the destruction of some businesses; you may argue that, by failing to prepare, they will have brought this on themselves. After two years of transition, ignorance will be no defence.