Current data protection laws haven’t been updated in the UK since 1998 when the government brought in the Data Protection Act, an Act of Parliament designed to protect personal data stored on computers or in an organised paper filing system. The policy makers at the time could not have foreseen the growth of data collection that exists today, or how it is used to make important decisions and automate systems through big data processes.
It is for this reason that the General Data Protection Regulation (GDPR) has come about to add further regulation to how user data is collected, stored and used. Breaching this policy, which comes into force on 25th May 2018, would be a substantial monetary and reputational risk. In fact, any business that doesn’t abide by the policy will face a fine of 20 million euros or 2% of the company’s global turnover (whichever is greater).
GDPR doesn’t just affect future data but it also affects historic data that organisations have amassed. This means some potentially big changes for businesses who use big data to their advantage.
In this article, I’ve listed four key steps that businesses should be in the midst of taking in preparation for GDPR. Preparation shouldn’t just stop there though as there are lots more steps businesses should be taking.
- Under the GDPR, customers will have the right to know what information companies have collected about them free-of-charge and they will also have the right to have their information removed from publicly accessible databases. As these requests need to be met within one month, businesses will be required to have a procedure in place to handle and respond to these requests with urgency.
- Currently, when personal data is collected, businesses have to share privacy information for example, how they intend to use the data. Under the GDPR, businesses will be required to share some additional information for example, the data retention period and the fact that customers have the right to complain to the ICO if they suspect that their data is being mishandled.
- A regular and complex form of cyber-attack is the insider threat. After all, employees have access to the most sensitive information which businesses wouldn’t want ending up in the wrong hands. This is why businesses should be ensuring that employees are fully up-to-speed on GDPR so that they can help the business remain fully compliant.
- Although not every company will require a data protection officer, organisations can be fined if a data protection officer is required, but there isn’t one. It’s therefore advisable to immediately seek confirmation as to whether this is a requirement for your business or not.
GDPR should be taken seriously by all businesses, no matter what their age or size. This may be a daunting thought for start-ups but fear not, the Information Commissioner’s Office has a dedicated phone service to help small businesses prepare for the new data protection laws.
For more information about GDPR, I encourage you to read through the documents found on the European Commission website. ICO also has a useful free data protection self-assessment toolkit to help you assess your compliance with data protection law.