GDPR and the ethical use of data
Wherever your customer data is held, there is a risk. Whether it's financial risk such as bank details or confidential risk such as sensitive commercial or personal information, the cost of loss or a data breach can be high. Of course, regulations such as the Data Protection Act (DPA) already exist in the UK, providing your business with protection and safeguards against data loss or access.
The introduction of the General Data Protection Regulation (GDPR) will strengthen this legislation, providing more emphasis on the responsibility of data ownership and processing. GDPR comes into force in May 2018 and if you're smart, your business will already be preparing for it now.
Despite the Brexit decision, your business will still have to adhere to GDPR and face heavy penalties if you fall short. Essentially, GDPR acts as an extension to the current DPA, but significantly raises the stakes in terms of compliance. With maximum financial penalties in place, your business could be looking at a fine of 4% of annual global turnover or up to €20m (whichever is higher) for a breach of the rules. GDPR has been designed to protect personal data such as name, address or any data that enables identification, and sensitive personal data such as political views, medical details, passport or ID document scans.
Ethical use of data
Your business could be sitting on a goldmine of personal data, and under GDPR you will be held accountable for ensuring that data is protected and secure from cradle to grave. Your customers expect you to abide by the strictest data security measures and not take any short cuts that could leave their details exposed. As we become more connected in a digital world, it becomes more challenging to attribute accountability to the storage and ownership of personal and sensitive personal data. For example, as a customer journeys through your website, you can track the device they're using, the time of day they visit your website more frequently, the pages they looked at, the links they clicked on, the amount of time spent on a page, etc. All this data builds a profile of an individual that you can then use to market products and services. Large businesses will also have third party agreements where that data is shared amongst partners who can also market to that individual and begin to collect their own data.
When considered in the cold light of day, GDPR forces all businesses to follow a strict code of ethics in the way they collect, manage and store personal data. It has been designed to put the control of personal data back in the hands of the individual. The right to be forgotten, the right to be informed, the right of access, the right the restrict processing, amongst others, have been enhanced under GDPR, so it is worth re-visiting your procedures to make sure you're protected.
What about hackers and cyber-crime?
Illegal access to information will not cease; rather it will continue to grow while consumer confidence in secure data storage is diminishing. High profile cases of data loss, including the theft of 38 million account details from Adobe, the compromising of 20,000 bank accounts when details were held with Tesco and the hacking of one billion Yahoo email accounts, do nothing to reassure customers that their information is safe.
Data is power and blocking access to that data can bring businesses to a grinding halt, as experienced with the WannaCry Ransomware attack. Businesses need to reassure customers and partners that information is secured to the greatest possible degree.
Any organisation that processes, manages or has built its business on the back of third party data needs to understand GDPR and adhere to its regulations. More information on how to prepare for GDPR can be found on the Information Commissioner's Office website.