What do UK firms actually need to do?
At Vohkus we’re getting more and more customers asking about GDPR. And the government’s data protection proposals since the Queen’s Speech have only confused them more. As the next round of Brexit talks gets under way, there’s been a lot of talk about what legal jurisdictions will apply in future. What few people seem to be pointing out is that there is still important EU legislation waiting in the wings which will have a widespread effect on British businesses.
There’s no escape from GDPR, the EU’s General Data Protection Directive, which comes into force in May 2018. And what’s more, it’s set to be something that becomes enshrined in the statute book of UK law. With great fanfare on 7 August 2017, the government announced its plans to overhaul UK data protection, with promises of massive fines for non-compliance.
Matt Hancock, minister of state for digital claimed: “Our measures are designed to support businesses in their use of data, and give consumers the confidence that their data is protected and those who misuse it will be held to account. The new Data Protection Bill will give us one of the most robust, yet dynamic, set of data laws in the world. The bill will give people more control over their data, require more consent for its use, and prepare Britain for Brexit.”
UK data protection and GDPR: same difference
As some commentators have pointed out, the government’s announcement smacked of the government ‘taking credit’ for GDPR with its new bill. For example, Bob Tarzey, director at analyst Quocirca, said: “The UK government is making headlines about something we've already had that was EU-based. It's been presented as a UK data protection law, but it's just GDPR. There's nothing I'm aware of that the government is doing to enhance data protection beyond what GDPR is doing.”
Tarzey also suggests that UK data protection daren’t stray too far from the EU GDPR template (which was substantially influenced by ICO, the UK information commissioner’s office) in any case. “If UK data protection laws start to drift from data protection laws in the rest of Europe because we're not part of the EU, you're back to the old days where US firms have to heed every data protection law across the region.”
Do firms understand the risks?
Of course, there have been plenty of scare stories about the new data breach fines. The current maximum fine firms can suffer for breaking data protection laws is £500,000. Between summer 2015 and the same time this year the ICO issued 87 monetary penalties, 52 undertakings, 35 enforcement notices and brought 31 prosecutions under the existing Data Protection Act. The largest individual data protection fine was £400,000 to TalkTalk for its 2015 leak of 156,959 customer records. In future, UK firms that suffer a serious data breach could be fined up to £17m or 4% of global turnover.
The Federation of Small Businesses is nervous. Mike Cherry, its national chairman says smaller UK firms “…simply aren't aware of what they will need to do, which creates a real risk of companies inadvertently facing fines.” With one in five senior executives still apparently having little or no idea about GDPR and its impact anyway, it’s not just small firms that are in the dark.
Scare stories or good practice?
Of course, everyone’s used to the tech industry using scare stories to try to sell more equipment and services, with the infamous ‘Millennium Bug’ perhaps being the best-known example. It’s certainly true that a number of the vendors with which we work at Vohkus are highlighting that their products help buyers enforce GDPR compliance.
But whether you call the future legislative landscape GDPR or a new UK Data Protection Act, they key point is that in either case British firms will simply be obliged to do what they should be doing anyway – and that’s protecting the data and privacy of individuals.
We think the real risks are all related to missing out on business opportunities, not of being hit with punitive fines. Good data protection practice is one of those things that drives business forward
A risk assessment example
Let’s look at one aspect of the new law as an example. For years, Data Protection Impact Assessments (DPIAs) have been advocated as best practice by the ICO, and many organisations already carry out DPIAs as a matter of routine.
A DPIA is a risk assessment of the proposed processing of personal data by an organisation, and is intended to help an organisation identify the most effective way to comply with its obligations, identify and mitigate risks to data, and meet individuals’ expectations of privacy.
When GDPR comes into force, DPIAs will become mandatory in certain circumstances (although with penalties half that of those applicable to data breaches). A DPIA must be carried out prior to the implementation of any high risk new technology, project, activity or process and ideally as early as practical in the design process.
In an interesting twist, we suppose that could mean you needing to carry out a DPIA ahead of implementing major new technology intended to ensure compliance with GDPR or its future equivalents in the first place.
Understand your needs before you look at technology
Brexit is not going to prevent the need for data protection and privacy, and you only have until May 2018 to get your house in order anyway.
So the key is to get your processes right now. If you’re conforming to best practice already you have nothing to worry about from GDPR or whatever form of GDPR the UK implements after Brexit, because you’re essentially already doing all the right things.
Of course, we at Vohkus will have no difficulties helping you identify which technologies could help you manage your response to GDPR. But there’s no point in selling you stuff you don’t need. If you’re going to use good data protection practice as a business enabler, technology needs to be matched to your processes, not the other way round.
What’s your experience so far? Are you among the execs who claim to be in the dark? Are your processes still being formulated or do you have the right governance in place to deal with the new landscape? And if you’re already using technology to help with data protection, is it really making a difference? We’d love to hear your thoughts.