Home » Business » Digital Transformation » Data Protection: How business obligations will change in 2018
The ethereal nature of data makes it difficult to look after, especially in an age in which the tactics of online criminals are never off pace with even the most sophisticated computer defence systems.
But it’s not just about keeping our own enterprises safe from harm, organisations are bound by law to take care of the information they hold, and to stop it from falling into the wrong hands.
Irrespective of industry or company nature, businesses will hold a great deal of information that needs to be protected, from employee records to customer details, subscription schemes, transactions and third party material.
Essentially, all private information is sacred and must be kept private, from names and email addresses to more immediately sensitive data such as home addresses, bank and credit card details and health information.
Each of these constitutes a direct or indirect pathway into the personal lives of current staff, partners and next of kin; business partners and clients; customers and shareholders, and the broader public.
The Data Protection Act 1998 governs how personal data is used and held by the government, businesses and other organisations. Under the eyes of the Act, any official entity that stores or processes personal data is considered a ‘data controller’ which must register with the Information Commissioner’s Office and observe strict personal data guidelines.
This issue is particularly important when recruiting new staff or taking care of information of individuals who have left the company, when products and services are marketed and if CCTV is being used.
The guidelines ensure that data is:
To address recent changes in IT, a new framework has been agreed called the General Data Protection Regulation (GDPR), which will come into force next year.
The new regulation will impact upon all businesses with or without a physical presence in the EU, if that business offers goods or services to EU data subjects or examines how EU data subjects behave.
As of May 2018, businesses will have to adhere to even more data protocols, with those obligations becoming increasingly tough for frequently processed or highly sensitive data.
Firms that need a data subject’s consent to process information in a lawful manner will need that consent to be given freely, and in a specific, unambiguous manner off the back of a fully-informed decision. Consent with regards to sensitive data will have to be explicitly stated.
Responsibility will also fall on business’s shoulders to ascertain the depth of risk associated with data processing, and how it could impact on data subjects. Lower-risk processing, meanwhile, will fall under fewer compliance regulations for organisations. Businesses will be obliged by GDPR to keep a detailed record of all processing activities, while larger firms will have to appoint a data protection officer to oversee operations.
If a breach of a data subject’s privacy has been uncovered, the Data Protection Authority (DPA) will have to be contacted and notified within a 24-hour period.
Firms operating in a number of EU member states will be able to conduct affairs through just one DPA which will act as the leading authority.
In next year’s new European data protection climate, data subjects will have the right to have their information forgotten, while new rights will be brought in regarding individuals’ data portability and the ability to object to automated decision-making.
Clearly no business wants to fall foul of data protection regulation; currently in the UK the Data Protection Act brings very serious consequences to organisations that violate its terms, with prosecution leading to a range of tough punishments.
Fines of anything up to £500,000 can be incurred, while individuals involved in non-compliance can be issued with a prison sentence if the misdemeanour is considered serious enough.
Under GDPR, any breaches made by data controllers and data processors will result in greater fines than are currently being issued, but administrative errors will really sting to the tune of €20,000,000 or 4 per cent of global turnover.
Industry leader, Dell, is helping businesses store, analyse, and protect their data to ensure GDPR compliance and avoid hefty fines.