Data protection is an important, complex and evolving subject in business management. I had no intention of producing a blog at this stage (having recently produced a 30 page report), however it was inevitable the topic would resurface soon enough.
A contact asked me quite simply – “do I need to be concerned with data protection laws?” Having some insight as to why they asked this questions, I quickly responded with “Yes”. Hereinafter the debate started.
Because you’re about to start running a business.
I assume you’ll be dealing with people?
Well, I only intend on dealing with other businesses, not people – so for me, it seems like a grey area.
No grey area. Businesses are formed of real tangible people, and you will be dealing with people, not the intangible business itself.
This is the moment it clicked for them. There is little way of avoiding the topic. Having worked in the legal industry for some time, I was very quick to react when someone mentions an area of business management being “in the grey”.
So what is data protection?
If you handle personal data (data which relates to a living individual who can be identified from that data), then you are required by law to protect that information. This data may belong to employees, customers or any other person you deal with in the course of business. At a high-level, The Data Protection Act 1998 (DPA 1998) requires you to;
only collect information for a specific purpose;
keep it secure;
ensure it is relevant and up to date;
only hold as much, and for as long, as you need it;
allow the individual to inspect their data on request.
Personal data may include; names, email addresses, tax details, vehicle number plates, credit card numbers, and even computer IP addresses. Not a lot falls outside the scope of ‘data’.
Why is it important?
Because in reality, there is no way for a business to avoid it. Virtually every business in the UK (and many other countries), are subject to data protection laws. Their purpose is to protect individuals’ personal and sensitive information landing in the wrong hands.
Whilst I appreciate complying with data protection laws may seem like hassle for businesses, especially startups, a business owner must consider how they would feel to be in the firing line. Consider if it was your personal data ending up in the wrong hands, and what use could be made of that data. A worrying thought. Now what if you were responsible for a customer’s or employee’s data ending up the wrong hands, whether directly or indirectly. A lot of damage could be caused, and a lot of trust lost (amongst other things).
High profile examples
TechWorld recently reported on The UK’s 13 Most Infamous Data Breaches. This does not yet include the unprecedented attack on Yahoo in which details of around 500 million user accounts were leaked online.
As you will note, data breaches may be accidental, such as from lost hardware, or a result of a deliberate and targeted attack on a business.
You can see from these high profile examples the damage that can be caused by data breaches, failure to comply with data protection laws, or manage data protection risks. Data protection should therefore be seen as a framework protecting employees, customers, and the business itself.
Where it gets complicated
The DPA 1998 has been around for many years. It was implemented as a result of a European Directive intended to harmonise data protection laws across the European Union, and ensure adequate protection of all EU citizens’ data, regardless of where that data is held or transferred.
Two primary issues have surfaced from the current framework. Firstly, technology has significantly evolved since the DPA 1998 came into force. The way in which data is now held, managed and transferred has changed, as has the outsourcing of data to third parties for the purpose of providing business services. Secondly, EU member states had an element of discretion in implementing the Directive into national law, causing confusion and lack of certainty in how personal data would be handled across different member states.
The EU therefore agreed on the General Data Protection Regulation (GDPR), intended to provide a well needed refresh to data protection laws. The Regulation will strengthen individuals’ rights and introduce new obligations on businesses who collect and handle personal information.
Unlike the Directive, the Regulation will apply directly to all member states in its agreed form, without any need to implement into national law. The GDPR will come into force from 25 May 2018 and will apply to any organisation which “operates in” the EU market.
Why does this matter if we are leaving the EU?
We will only have officially left the EU once we have completed the process under Article 50 of the Lisbon Treaty. As it currently stands, this will not be for at least another two years.
What all this means is that the GDPR will apply before we have left the EU, meaning all EU businesses will need to adjust their practices in order to comply with it. What happens after we leave the EU we just don’t know, but we can assume that a similarly stringent set of laws will continue to apply with regards to data protection.
What action to take
If you are already in business, or starting one soon, and are concerned about your current status – take affirmative action as soon as possible. Speak with the right people, and ensure you comply with the current framework and prepare yourself for compliance with the GDPR.
Keep up to date with business and data protection laws by following me @MMmarketpreneur