Since the beginning of the century, the amount of private customer data stored by businesses has vastly increased, and the number of businesses that store data has broadened even more astronomically. This has resulted in major data security issues, because the UK’s existing Data Protection Act, passed in 1998, wasn’t written with the scale of modern data collection and storage in mind.
Starting this coming May of 2018, the UK’s new Data Protection Law will bring the country into line with the EU’s General Data Protection Law (GDPR). Despite the fact that the GDPR was passed in the European Parliament in 2016, more than half of UK businesses surveyed by PORT.im have indicated that they are entirely unaware of its existence. Moreover, many are ignorant of their current responsibilities regarding customer data, with only 35 percent of businesses reporting that they solicit and keep records of their customers’ consent to store and use personal data. To have any hope of getting into compliance with the incoming GDPR, businesses need to make sure that they’re educated about the law, and their specific responsibilities to their customers.
What is GDPR?
The General Data Protection Regulation is designed to update data protection for the 21st century for European consumers and businesses. Its purpose is to give people more control of who has their personal data, and what those entities can store. Specifically, the law grants new rights for consumers that allow them to request, amend, and delete personal data from businesses and other organisations. Furthermore, businesses will need to get explicit, informed consent before storing personal data and contacting consumers, and will be restricted in exactly how they can use that information, even when anonymised.
Failing to comply with data protection regulations now also comes with much higher penalties than the maximum £500,000 penalty dictated by the old Data Protection Act. Offending businesses could face fines of up to £17 million, or 4 per cent of global turnover, whichever figure is higher.
GDPR affects all businesses that store customer data
According to PORT.im’s survey, only 27 per cent of businesses believe that the GDPR applies to them. Despite this, over 73 per cent indicated that they collect some amount of personal data from their customers. This indicates a profound lack of understanding about the purpose of the new law.
GDPR covers all individuals, businesses, and organisations that are either “controllers” or “processors” of personal data. What many business owners may not understand is just how broadly personal data is defined in this case. All businesses that handle information that could identify consumers are affected by GDPR. That includes personal data like names, street addresses, or IP addresses, and sensitive personal data like genetic data, and information about the sexual orientation, political views, or religious affiliation of consumers.
While your average SME very rarely stores sensitive political information or tracks IP addresses, practically every business builds email lists and keeps basic identifying information about their customers for marketing purposes. Businesses that already aren’t properly handling this information today could find themselves in very hot water when GDPR comes into force in May.
Exemptions exist for select industries
While these laws will require many businesses to change how they handle personal data, some industries do enjoy some protection from these new regulations. Journalists, scientific and historical researchers, and anti-doping agencies that need to handle people’s personal information to do their jobs are explicitly exempt from GDPR.
What about Brexit?
Some UK business owners may think that with the UK’s departure from the EU, EU laws like GDPR won’t hold force in the country for very long anyway. While that’s technically true, GDPR is not being implemented or enforced in the UK by the EU. Rather, the Data Protection Law is a UK law, enforced by the Data Commissioner’s Office (ICO), that will bring the country into compliance with the GDPR, meaning that it will still be in force after Brexit.
Businesses have access to help to reach compliance
As a first step, all business owners should read the full text of the GDPR to make sure that they know the contents of the new law. However, this might not be enough to provide actionable solutions for business owners. Late in 2017, the ICO created a phone service to provide support and help small businesses reach compliance with existing and incoming data protection laws. This is an excellent resource, particularly for small business owners that are dealing with this issue for the first time.
GDPR has caused some pushback from business owners and researchers who consider the law too restrictive. However, increasingly large and frequent data breaches in recent years only serve to underline the need for better data protection. By giving consumers more control over how their data is handled and who has access to it, the UK and the EU will be better able to limit the scope of the impact that such attacks will have on their citizens.