The EU’s General Data Protection Regulation launched in 2018, and quickly became part of common parlance in workplaces across the continent. It was the largest and most comprehensive package of new rules ever put together. But the idea of data protection has been around for far longer than that.
What is it?
In the UK, the Data Protection Act 2018 works this regulation into national law. It governs the way that businesses and public bodies handle the data they manage. This act labels certain individuals and bodies ‘data controllers’. It is the responsibility of these parties to take reasonable steps to reduce the likelihood of data being lost or stolen.
How it will affect your business
The thing about data protection rules is that they apply to just about everyone, rather to any specific industry. Only certain types of data use are exempt. Those processing data for purely private or domestic settings, for example, as well as smaller charity organisations and clubs.
The GDPR confers a number of rights upon the individuals whose data you’re storing, and grants them the ability to take action against you. For example, there’s the right to be forgotten, which means that you’ll need to delete the personal data of customers who choose to leave you and go with someone else. Then there’s the right to access, which means that any customer can request a copy of the data you have on them, and you’ll need to oblige.
In the event that an individual’s personal data is compromised by a breach, then you’ll need to notify them within 72 hours in order to stay on the right side of the regulations.
How can you comply?
A data controller handles data, and must abide by a number of rules, and they’ll need to register with the Information Commissioner’s Office. This incurs an annual fee which varies depending on the size of your business – but failure to comply exposes you to considerable risk. The maximum penalty that can be imposed is a fine of £500,000 – which puts the £500 annual fee for a large business into perspective. It was under these rules that Sony was fined in 2013, for allowing customer information to be stolen from its PlayStation Network.
Among the most important steps you might take is to audit the data you’re keeping, and to dispense with the data that you don’t need. This will limit the likelihood of error stemming from false information, and it’ll also reduce the damage in the event of a breach occurring.
If you’re unsure of your obligations, or whether the way your business operates is up to standard, then the best course of action is to have a reputable legal firm perform a risk advisory.
