It’s easy to be blase about the data you own, manage and process. Easy but possibly expensive. The regulators can name and shame you, fine you or freeze your systems and bring your business to a standstill. Here Walter Hale tries to help you not get caught in the traps.
1.Appoint a data protection officer
This is likely to be recommended in the new EU legislation but, to be honest, it is probably not a bad idea to have someone in the business who keeps track of these issues and, to give one very basic example, makes senior management aware that change is coming in this area. (In smaller, simpler businesses, it doesn’t have to be a full-time job.) They will be the best people to document what personal data you hold, where it came from and who you share it with. They will also be able to advise the board as it seeks to strike the balance of risk and reward.
Every company has to weigh up the commercial opportunities that could boost revenue against the risks of infringing law, industry legal guidelines or best practice. Ultimately, directors should decide the level of acceptable risk - but they can’t do that without expert internal guidance.
2.Understand what we mean by data…
It’s an unhelpfully broad meaning word but ‘data’ certainly encompasses details you have on staff, customers, clients, vendors, partners, data you have acquired from someone else and data you are processing on behalf of anyone else. To be concrete, this encompasses emails (and anything that appears on a company intranet), letters, employment records, customer contact details; CCTV footage, recorded phone calls and Web cookies (for which there are separate rules). Looking ahead, data will also include IP addresses and information generated by wearables.
3.…and then document it
Documenting all this will help you get a sense of where the risks lie, define the principles and procedures you will use to protect the data, and enable to show what steps have you have taken to comply with the new rules. For example, at the moment when you collect personal data, you have to tell them who you are and how you intend to use the information. Under the new rules, you will also have to explain your legal basis for processing the data, how long you will retain it for and that they have a right to complain to the ICO if they don’t like what you’re doing with their data.
The other key change is that, under the 1998 Act, it is up to the data controller, i.e. whoever owns the data, to safeguard its protection. In future, anyone who touches or accesses your data are responsible. So you need to be vigilant when securing/using data from third parties. Ideally, you should vet them before you start handling their data.
4.Consider the individual’s rights
You need to ensure your procedures cover all the rights individuals have. Their main rights under the new regulations are: to be able to access the data; have inaccuracies corrected; have information erased; to prevent direct marketing; to prevent automated-decision making and profiling and to have the data provided to them in a commonly used format - in other words, it’s no longer enough to print it out on a bit of paper. If you have a data protection officer - and know what data you keep, where and why - it will be a lot easier to accede to these requests.
As a rule of thumb, you will need to respond to a subject’s data request within a month. If you think their request is excessive or unfounded, you can refuse - or charge for it - but you will need to explain your grounds for doing so.
5.Be clear about how you get consent to use data
The IOC says: “Consent has to be freely given, specific, informed and unambiguous”. There also has to be a positive sign of consent to personal data being processed - it can’t be taken for granted on the grounds of silence, pre-ticked boxes or inactivity. This is especially important if you’ve bought some data to use. Using that without understanding what the individuals consented to is bound to provoke complaints - and you don’t want the ICO on your case. If they think really badly of you, they have the power to freeze your data systems which, as it would stop you sending emails, processing transactions or making phone calls, could bring your firm to a standstill.
6.Think about the legal basis on which you process the data
This isn’t something many businesses have thought about that much, but it’s important. Even under the existing legislation, you have to specify your purpose in processing it and you must stick to that. Luckily the ICO gives some clear, comprehensive guidance on this matter on: https://ico.org.uk/for-organisations/guide-to-data-protection/conditions-for-processing/. But the general rule is that conditions on use become more exacting the more sensitive data is - for example, if it relates to a criminal record. And remember that we use data this way because this is the way our business operates is not a defence.
And the data you collect must be appropriate - enough for you to do what you want to do but no more. In other words, if you just want to put someone on your circular email list you don’t need to know their previous employment, which football team they support and their inside leg measurement. It’s also important that you don’t keep it longer than you need to. And if you do keep it, you need to be sure it’s accurate and up-to-date.
7. If something goes wrong, act fast
If data is lost, you will be obliged to report the incident to the regulators within 72 hours. Yet you need to think beyond legal requirements and let customers or staff know. The Talk Talk data breach cost the company £60m and management must now regret following the Metropolitan Police’s advice not to warn customers so that investigations could continue. The mobile phone network lost 100,000 customers. The wonder is that it wasn’t more.
8. Consider encryption
You don’t have to lock every byte of data in the high tech equivalent of Fort Knox to satisfy the regulators. Even the EU rules suggest only that you take steps to “meet the individuals reasonable expectations of data privacy”. And the rules stipulate that encrypting data would meet such expectations. This is worth considering because if you keep the encryption keys on your own premises, you’re less likely to suffer data loss. And if the worst does happen, you should be able to convince regulators that you took sensible precautions and weren’t complacent about the risks.
9. Don’t think it’ll never happen to you
In the first two months of 2015, for example, 68,000 data thefts were reported to British police. The most common causes of data breaches are human error. Sometimes these mistakes are outlandish. The MI6 agent who mislaid his laptop after a drinking session at a tapas bar is a particularly outlandish example. Yet often, the errors are more basic: failure to follow company procedures, general carelessness, lack of expertise in how to use apps and lack of training are all common causes of breaches.
Astonishingly, surveys suggest that almost half of companies don’t train their staff about data breaches. Such ill-preparedness already looks foolish - but as data protection rules get modernised, it will seem plain stupid. The one simple thing you can do to reduce your risk of being sued, fined or shut down is to train your staff about data protection and how you expect them to behave. Whether you’re the employer or employee, ignorance is no defence.