The world of business now has access to an unprecedented amount of data. And the use and storage of that data is now governed by a range of sophisticated laws and regulations.
If your business is to stay on the right side of its legal and moral responsibilities, then it will need to take compliance seriously. This means getting the right data protection lawyers to act on your behalf, and implementing any necessary organisational changes.
Let’s take a look at some of the challenges presented by recent data protection reforms.
The Evolving Regulatory Landscape
The most eye-catching reform to the way that we deal with data came in the form of the EU’s General Data Protection Regulation, which in the UK was implemented through the Data Protected Act 2018. This law empowers individuals to find their data, and to request its removal. It also obliges data holders to deal with these requests.
More recently, the Data Protection and Digital Information (No. 2) Bill is set to shift the UK’s approach to this area of law. If implemented, this prospective new law would reduce the burden on data-keeping businesses, and remove barriers for ‘responsible’ innovation.
Data Mapping and Inventory
The storage of a large amount of data can quickly become unwieldy, especially if that data has not been well mapped. If you are holding any information which can be used to identify an individual, like name and phone number, then you should consider this personal data that is worth mapping. Under GDPR, other identifying information like race, political opinions, and health might also be considered personal.
The creation of a data map is not mandated by GDPR, but it will make it much easier to search your data and establish where specific data points lie. The map should ideally allow you to see not only the data itself, but the way that it has flowed through your organisation.
Consent Management
The GDPR works through an ‘opt-in’ philosophy, which means that you’ll need the consent of the person whose data you’re collecting. Consent must be freely given, informed, specific and unambiguous. By keeping records of consent, you’ll be able to demonstrate that you’re on the right side of the law. In larger and more complex organisations, this is typically done through a specialised consent management system.
International Data Transfers
The GDPR imposes a few extra rules on data being transferred outside of the European Economic Area. These transfers are generally considered ‘restricted’, but there are a few exceptions. The individual whose data is being traded might give explicit consent to the transfer, for example. Or, they might be incapable of giving consent – in which case the business performing the transfer must understand itself to be acting in their best interests.
Following Brexit, both the UK and the EU took independent decisions to allow one another to send this kind of data between the two regions. However, the GDPR restrictions still apply in both.
Data Security Measures & Data Breach Preparedness
Modern data protection law requires that data be kept securely. This means that it should be encrypted so that third parties cannot read it, and that a system of access control should be put into place. Where data breaches do occur, the organisation should have a plan in place to respond to the incident.
