In less than ten months the way all UK companies deal with data will undergo a truly massive change.
The adoption of the General Data Protection Regulation comes into force in May 2018 and the government has confirmed it will apply to UK businesses regardless of where we are with the Brexit process.
The reality is that most large UK firms will choose to follow GDPR in order to continue trading with European partners and customers. The government has promised to introduce a new set of laws but this is likely to quite far down the list of priorities.
If you know anything about GDPR it is probably the size of the fines – up to four per cent of global turnover or €20m.
The new laws require businesses to fundamentally rethink how they treat private data.
Firstly because the law widens the definition of private data to include anything which could identify an individual and even includes an IP address. Advertising and marketing will need to think carefully about what information they are storing, and how it is protected.
Secondly it gives individuals the right to demand to see any information which is held about them and in some cases for it to be deleted. This will force companies to justify any information it holds and for how long it keeps it for.
Thirdly it will mean that companies have to take proactive steps to protect data. This means designing privacy in from the very start of projects – not just encrypting a database after it is collected but considering exactly what information is collected and why. It also obliges companies to inform people if their data is lost within 72 hours of a breach being discovered.
Finally companies are not just responsible for keeping their own houses in order. If you share any data with another firm you must ensure that they are also taking proper precautions to protect it.
This might seem like heavy handed over-regulation but public attitudes are changing in step with changes to the law.
While some businesses might still want to blame the hackers when they suffer a data breach the public, and regulators, are increasingly taking a much tougher attitude – both are more likely to blame the business.
The Information Commissioner’s Office recently fined a computer games rental company £60,000 for being hacked and losing customer data. The company in question lost over 26,000 customer details when its website was hit by an SQL injection attack.
The judgement found the company guilty of not running regular penetration testing of its website, having a weak password on its publishing system and leaving customer data unencrypted.
Companies have to take action fast to ensure they will be ready to comply with the new law.
This means a comprehensive data audit to see what data you have and where it is being stored. Larger companies will need to appoint a data protection officer to ensure compliance with the stronger rules.
But the change is also an opportunity for business.
Given changing public attitudes there is a chance for companies to start making data protection a business advantage and a key part of marketing and advertising messages. By this time next year it is a fair bet that we will see companies using data protection as a key way to differentiate themselves from the competition.
For companies looking for help the Information Commissioner’s Office website is a good place to start.