Welcome back from your summer holidays.
Judging by the weather, summer is well and truly over and we are starting to think about Christmas. As we are all now firmly back to work, I thought I would talk about a subject that interests me greatly. Until recently I had not heard too much about GDPR or what the Government has re-named as the new Data Protection Bill. While I am constantly sending and receiving emails, I am not a regular social media user. Although Twitter or LinkedIn isn’t part of my daily routine and I do not have a Facebook account, I know that I am unusual in this regard. For many people and many businesses, these are integral tools to everyday life.
Until now people have not had the power to decide or control how companies use their online data. The last time the UK updated its data protection act, we were one year into Tony Blair’s first election victory, Titanic had just won its Oscars, and the franc and lire were still major European currencies. Dial-up internet was the only way to get online.
The EU’s General Data Protection Regulation has been transposed into this Data Protection Bill, championed from the heart of government by Minister of State for Digital, Rt Hon Matt Hancock MP. The quantity of data available has increased exponentially with broadband, wifi and endless shareable media.
As both the Chairman of the IoD and of Cifas, the Credit Industry Fraud Avoidance System, I understand what is at stake when companies have not looked after the data with which they are entrusted. From TalkTalk to Equifax, to Yahoo recently admitting that a four-year old breach probably affected all 3billion of its accounts. Data protection has become part of our life and the risks related to it. Indeed Cifas recorded that there were 89,000 cases of identity fraud reported in the first six months of 2017, a record number.
The IoD and Cifas are attempting to ensure that individuals and businesses know their obligations when the Data Protection Bill becomes law in 2018. The purpose of this bill is to ensure the UK complies and has parity with the EU’s GRPR. While the 1998 Act, and its updates in 2003, will still hold true (including rules around how data is processed) and permit consumers the right to know what personal data is held by a company, these new regulations go further.
Many of the headlines about GDPR have focused on what the cost will be to businesses if they fail to meet the new standards. Data breaches including cyber-attacks where companies could have done more to prevent them, could be punished with fines of up to £17m or 4pc of global turnover, whichever is higher. The current regime stipulated that the maximum fine is £500,000. Many smaller businesses are becoming aware of this new legislation and what they will have to do to comply. One of the hardest challenges for companies will be to ensure that users understand what they are signing up for. A simple tick in the box, or ‘agree’, is no longer permissible.
This consumer-focused bill ensures that people have the “right to be forgotten;” the ability to ask the Facebooks, Amazons and other large internet entities to delete the data they have on you. While many lives are now lived on Facebook, and the content online is cherished by many as a diary of their hopes, the right to deal with your own data is still an important one. The law applies to any company that holds its data on its customers. While a person does not have a total right to delete everything the company has on him or her, the new bill pertains to data that has been collected by the organisation that is now no longer related to the purpose for which it was originally collected, and when consent is withdrawn.
These new rules are both broad and bold, and much will be clarified when they are challenged in court. It is an opportunity for consumers to take greater interest and care with respect to who knows what about them. The £10 fee for information requests is being removed and every organisation must disclose what they know within a month.
Data, and data collection, is crucial to the workings of nearly all businesses. Companies must know their customer base and work to ensure their product is as relevant as ever. This level of scrutiny, however, from the government on how business operates, to ensure and protect customers is a whole new landscape. Companies have to adapt to this quickly and prepare for the introduction of the Data Protection Bill next year and we, at the IoD, are all here to help all our members.
Best regards as ever,