Written by Steve Smith
With Britain’s recent decision to leave the EU there is a lot confusion about which regulations and rules will continue to affect British businesses after we leave the economic bloc. One regulation in particular could have huge ramifications for your business…
While leaving the EU is an incredibly complex subject, what we know so far is that any EU regulations which are already in place will be enshrined into UK law, and updated when necessary. After we leave, Britain won’t be automatically subject to new rules from Brussels. But what about in the case of the upcoming General Data Protection Regulation that comes into effect on the 25th May 2018? As always, things aren’t quite as simple as they seem.
If your business supplies goods or services to a citizen or company based in the EU, regardless of whether Britain is part of the EU or not, you must comply with the GDPR – or face some big consequences…
The GDPR actually stems from positive intent, as The European Court of Human Rights states that every living person has a basic right to privacy. This includes who has and who uses your personal information such as names, addresses, credit card information, social media user names, collar size, ethnicity, etc. Where businesses might start to see issues is that technical information can also be deemed personal, such as your home PC IP Address.
Let’s suggest your business holds all its client information in a CRM database. The provider of that database has a security breach and personal details of your clients are leaked. Are they to blame for the repercussions, or are you to blame for not having a proper authentication policy for uploading all your client information? Prior to this regulation, it would have been the CRM originator, but now, it’s you too I’m afraid! As the processors of the personal data, you must ensure you have the correct hardware, software, backups and staff training to deal correctly when handling personal data.
“Dealing correctly” also covers why you have this data and what you intend to do with it. There are now three key areas that need to be considered:
Let’s suggest the worst happens and you suffer a data breach. Under this new law, you have 72 hours to notify the UK Information Commissioner’s Office. The clock starts ticking the second the breach occurs, rendering a defence of ignorance completely useless. Knowing the breach happened is your responsibility, so if you set off home on Friday at 1700, are breached at 1730, things are going to get bad around 1730 on Monday, no matter how much or how little you are aware.
You also have to let the individuals whose data has been compromised know that the breach has occurred. Failure to do so leads to the aforementioned consequences, and they can be BIG. Consider this – do you feel 100% comfortable that you have adequate technology to protect your client data? To detect a breach and identify the victims within 72 hours? Do you have a process in place to notify the UK ICO?
You’d better be confident as it’s time to talk about these consequences for not complying.
If you fail to cover yourself adequately, you are now looking down the barrel of up to either 4% of your annual revenue or a minimum €20m whichever is the greater. Looking back to 2015, TalkTalk were severely breached and enjoyed a fine of “only” €460k. If this breach had happened under the new GDPR, experts have suggested that fine would have been nearer €72m. Scary stuff indeed.
How do you protect yourselves better than you are now?
The good news? The three step process above is hardly onerous, as one would like to think most businesses already know why they collect data and what they use it for – so all that is left to do is put it on paper. Your IT provider should already be on the case with advice and recommendations as to how you can improve your security and backup to keep yourself safe. It’s time to take IT and the security of your infrastructure seriously, by giving your provider the time to let you know where the gaps in your system are. It’s also now time to consider these improvements as an investment, not a cost. An investment in protecting you, your staff and your clients.
Positive intent indeed!