Data protection in business
As a small to medium size business (SMB) owner or executive, you understand the necessity of spending money, time, and effort on data protection and security. Besides adherence to regulatory requirements, the primary reason for SMBs to be compliant with respect to data protection is financial loss. Research confirms that data is the singularly most valuable corporate asset and that must be safeguarded.
When your data is lost or compromised, the repercussions are severe. Lost information will negatively impact your company finances, including, but not limited to, lost sales, government fines, costly litigation and a significant drop in productivity. Moreover, if a breach occurs due to inadequate data protection, your brand and reputation will suffer, with clients fleeing to competitors.
The way of things in the business world today is that customers expect close to 24/7 availability. If your enterprise is unable to operate because of data breach or loss, the downtime that follows will not go down well with clients who will take their business elsewhere. Don’t be fooled into thinking that e-commerce would be the exclusive victim in this scenario. Almost every business from finance to service providers operate round the clock, or at least their computers do. So, to keep clients satisfied and government authorities from knocking at your door, ensure that you comply with all regulations pertaining to data protection.
In this report, you will explore the current data protection laws imposed by the Information Commissioner’s Office (ICO) in the UK, the Data Protection Act. You’ll also take an in-depth look at the upcoming European Union General Data Protection Regulation (GDPR) to be enforced in May 2018. The report will provide you with a simplified roadmap of what to expect from the GDPR, how to avoid non-compliance, and what strategies your SMB can implement to be ready for the data protection changes in the New Year.
Data protection in the UK
The Data Protection Act of 1998 (DPA) is designed to protect a range of personal data stored on IT systems or otherwise. The DPA is a derivative of the EU Data Protection Directive of 1995 which provided legislation on the protection, processing and movement of data. Any company, non-profit or government body retaining personal data for other purposes must comply with the act. The DPA has a foundation of eight principles to ensure that information is lawfully protected, stored and processed. Information must be:
- used fairly and lawfully
- used for limited, specifically stated purposes
- used in a way that is adequate, relevant and not excessive
- accurate
- kept for no longer than is absolutely necessary
- handled according to people’s data protection rights
- kept safe and secure
- not transferred outside the European Economic Area without adequate protection
The ICO is an independent, official body whose role it is to uphold information rights in the public interests. The ICO covers the DPA, the Freedom of Information Act, Privacy and Electronic Communications Regulations and other laws relevant to use of personal data. The ICO has a data sharing code of practice which exists as a framework for businesses to make informed and lawful decisions about data sharing.
Organisations are not required by law to report any data breach to the ICO although it is wise to do so, especially if the breach is major and impacts on the lives of many individuals. The ICO has the power to issue fines, known as monetary penalties, of up to £500,000. As of November 2017, the ICO had issued in excess of £4 million in fines, with culprits including London Borough of Islington, TalkTalk Telecom and Morrison’s supermarket. Historically, businesses have not taken the ICO seriously. But when you reflect on the damage a fine of £50,000 can do to a delicate SMB budget, you’ll realise that the ICO shouldn’t be taken lightly. With the replacement of the DPA with the GDPR next year, any form of data protection non-compliance will be no laughing matter.
European Union GDPR
On the 25th May 2018, the General Data Protection Regulation (GDPR) takes effect, replacing the existing Data Protection Directive (Directive 95/46/EC) in the European Union and the DPA in the UK. Unlike a directive, in which the EU Member States can individually adapt their legislation to meet required aims, a regulation is immediately applicable and enforceable by law across the Union. The GDPR was passed into law in April 2016. However, a two-year grace period was granted to give organisations time to make salient changes in order to be aligned with the regulation.
The GDPR is a lengthy document consisting of 10 chapters and many Articles. However, the regulation is structured around six fundamental principles relating to the handling, processing, collection, retention and protection of personal data. These underpinning principles from Article 5 of the GDPR are summarised as:
- Transparency is required for the handling and use of personal data.
- Personal data may only be processed for specified, legitimate purposes.
- Personal data collection and storage is limited to the purposes specified.
- Individuals have the right to correct or request deletion of their personal data.
- Personal data must be stored in an easily identifiable form and only for as long as necessary for its intended purpose.
- Personal data must be protected at all times using organisational and technical practices.
Clearly, the GDPR is a definitive piece of legislation which requires all organisations, both large and small, to exercise vigilance when accessing, processing and storing any form of personal data.
GDPR requirement examples
Before exploring your own company’s needs in terms of becoming GDPR compliant, it’s worth reviewing some examples of GDPR requirements related to its guiding principles. These include ‘the right to know’, breach reporting, consent, impact assessments and non-compliance.
1. The Right to Know
Everybody has the right to know if an organisation is processing their personal data. They must also be made aware of the purposes for which the data is been used. Furthermore, an individual has the right to request the deletion and correction of their data and can ask for it not to be processed. They can object to direct marketing and also revoke consent for data use. Individuals also have the right to data portability. This means that they can freely move their data to another organisation and receive assistance in doing so.
2. Breach Reporting
In the event of a data breach, it will be mandatory for data controllers in a company to notify the appropriate authorities, the ICO in the UK. This must be done within 72 hours of data compromise being detected. If the breach shows the likelihood of impacting the rights and freedoms of individuals, organisations are obliged to notify affected parties in a timely manner
3. Individual Consent
Under the GDPR, there will be a legal basis for the processing of personal data, confirmed by individual consent. Consent for data processing must be ‘freely given, specific, informed and unambiguous.’ The regulation contains specific consent requirements for the protection of children and data controllers are required to know the age of consent in different Member States, which will no longer be 16 by default. Moreover, they cannot seek consent from anybody under that age.
4. Impact Assessment
Organisations are legally obliged to conduct data protection impact assessments. These should be conducted by an appointed Data Protection Officer (DPO) who will use the findings of any assessment to determine to extent of intrusion of the privacy rights of an individual. Where necessary, the DPO will have to apply appropriate mitigations. The DPO must also maintain records or processing activities, individual consent agreements and documentation showing GDPR compliance.
5. GDPR Non-compliance
Companies should not be fooled into thinking that GDPR compliance is a one-off activity which can be archived and forgotten. Compliance is an ongoing process, requiring modifications of how personal data is processed and stored dependant on circumstances, the level of data sensitivity and the age of an individual. Non-compliance can result in hefty fines, prosecution or a ‘stop now’ order in which organisations are unable to proceed with the business until they are GDPR compliant. Companies are urged to nurture a culture of privacy in order to protect individuals’ personal data.
GDPR versus DPA
The protection of personal data is the cornerstone of the upcoming GDPR. The regulation broadens the requirements of the DPA in many ways. For example, the definition of personal data is more expansive, the appointment of a data protection officer (DPO) is mandatory and there are additional requirements for data breach notification. Also, the GDPR sets out that data protection must be in place from inception and is not an afterthought. Consider now four core GDPR features that will probably impact on how you process and store personal data for business in the future.
1. Personal Data Definition
The GDPR has a wider scope of definition of personal data. This means that more data types are encompassed in regulatory confines. Data privacy is extended to include an individuals’ genetic, mental, economic cultural or social identity. Companies are required to be cognisant of these factors and to be mindful of the personal data that they store. You can use this ICO reference guide to develop a broader understanding of what defines personal data.
As with the DPA, the GDPR stipulates that businesses cannot store information for any longer than necessary. Again in line with the DPA, the GDPR states that when accessing client personal data, you must have their valid, documented consent. An individual must provide clear and affirmative consent prior to data access and processing. The GDPR states that ‘silence or inactivity does not constitute consent.’
2. Data Protection Officer
You’ve already considered the role of the Data Protection Officer (DPO) with respect to impact assessments. The GDPR prescribes that all public or government bodies must have a DPO. Private corporations that have ‘regular and systematic monitoring of data subjects on a large scale’ must appoint a DPO. A DPO is also required for companies processing ‘special categories of personal data’ on a large scale. The GDPR does not specify credentials for your DPO but the regulation states that they have ‘expert knowledge of data protection law and practices.’
3. Data Breach Notifications
Currently in the UK, reporting personal data breaches is best practice but not compulsory. With the GDPR, reporting any data breach that results in a risk to individual’s rights and freedoms is mandatory. Company data controllers and processors will need to report all data breaches to their data protection authority within 72 hours. As discussed, if there is a high risk to individuals, the parties involved must be informed.
The GDPR clearly states that data processors will have legal obligations and responsibilities. By extension, this means that they can be held accountable for data breaches. Data controllers and processors will need to clearly spell out and document their individual responsibilities with respect to the use of sensitive information. In essence, this means that your company has greater accountability and liability when it comes to processing data of a personal nature.
The GDPR reporting requirements will probably mean significant changes to the way you identify, handle and respond to personal data breaches. In essence, the threshold determining whether or not an incident will need to be reported to the ICO will depend on the risk it poses to involved parties. Pan-European guidelines will assist you in determining reporting thresholds. However, a sensible ploy would be to examine the types of incidents that your business could face. This will help you to develop a sense of what constitutes a serious incident in the context of your data and your clients.
4. Privacy by Design
Privacy by design is a strategy that promotes privacy and data protection from the outset. Currently, this is not a requirement of the DPA. The GDPR, however, will enforce privacy by design from the start of any service involving processing of personal data. GDPR privacy by design also imposes the requirement that data should only be collected for specific purposes. Furthermore, to protect individuals’ privacy rights, data must be discarded when no longer needed or in use.
Four steps to GDPR compliance
So far in this report, you’ve delved into the principles of the GDPR, examples of how these principles may impact your SMB operations and why the GDPR is a binding, legal constraint replacing the DPA. The GDPR will take your data handling, processing and storage practices into a new realm of enhanced reporting and attentiveness. With six months to go until GDPR becomes law, it’s best to take the necessary steps and prepare your business for compliance.
Microsoft Trust Centre has developed a comprehensive stockpile of resources aimed at simplifying your GDPR compliance journey. Many of the resources recommend using a four-stage model when preparing your company to meet the compliance deadline by May next year: Discover, Manage, Protect and Report.
1. Discover
The process of discovery is to identify what personal data your business has, where it resides and if the GDPR applies to your data. Under the regulation, ‘personal data’ is broadly defined as any data relating to an identified or identifiable natural person. Data that can be used for identification include name, email address, physical/physiological information, location, IP address, cookies and the list goes on. Your personal data inventory is comprised of all containers where personal data is collected and stored. Emails, documents, log files, metadata and backups are all part of your inventory. Vital to your discovery is to compile an exhaustive inventory of personal data. This task should be assigned to an experienced data controller.
Do you need to be GDPR compliant? If your business has an inventory of personal data, including databases, customer feedback forms, photos, CCTV footage, HR files and email content, then the answer is unquestionably ‘yes’. If your company as yet does not have such an inventory but intends to establish one, the response to the question remains unchanged. Even if you operate part of your business outside the EU, you may still need to comply. The GDPR applies to data collected, processed or stored outside the EU if the data pertains to EU residents.
2. Manage
With the principle of rights and freedoms in mind, the GDPR provides data subjects – the individuals to whom the data relates – with greater control over how their personal data is accessed, processed and stored. Data subjects with legitimate reason can request that your business shares data that relates to them. On request, they may also restrict certain data from further processing. Usually, you will be given a fixed timeframe in which to address any requests.
In order to satisfy your SMBs obligations to data subjects, you need to comprehend the types of personal data that is processed by your company. You will also need to establish how it is processed and for what purposes. Having an all-embracing inventory is the first step to managing how personal data is accessed and used.
The next step is to develop and implement a robust data governance plan. A data governance plan will help you and your management to define policies, roles and responsibilities for the access, processing and management of personal data. A well-constructed plan will also ensure that your data handling practices are in line with the GDPR. A good example is for your plan to include procedures to manage a data subjects’ requests for data deletion or transfer. Such procedures indicate that you take the GDPR seriously and respect the demands of your data subjects.
3. Protect
While you, your IT department and other employees may appreciate the importance of information security, the GDPR has raised the bar for data protection. Under the new regulation, your SMB will be required to take appropriate technical and organisations measures to protect personal data from loss, unauthorised access or disclosure.
Undeniably, the issue of data security is a complex one. You will need to identify and consider a range of risks, including physical theft of data-storing hardware, accidental loss or deletion, and hacking and cybercrime. You would be wise to establish resilient risk management plans. You can also take risk mitigation steps such as password protection, audit logs and encryption. All in the name of ensuring GDPR compliance.
You will also need to have in place systems to detect and respond to vulnerabilities and data breaches. As you know, when a breach puts rights and freedoms at risk, you will need to notify the IOC and possibly the affected data subjects. Not only will your SMB benefit from being able to monitor for and detect IT infrastructure intrusions, but you’ll be one step closer to a total GDPR compliance target.
4. Report
It’s evident that the GDPR sets high standards for transparency, accountability and record-keeping. You and your employees need to be more transparent in terms of how personal data is handled and your transparency must extend to show how you actively maintain documentation defining processes and use of personal data. Everybody knows that paperwork is a headache but it’s a better deal than facing the consequences of non-compliance.
You will need to perpetuate up-to-date record-keeping on the purposes of data processing, the categories of personal data processed, the identity of third parties with whom data is shared, which third countries receive personal data, organisational and technical security measures and the data retention times applying to each data set. An effective means of achieving such a monumental record-keeping task is to apply the use of auditing tools. Such tools will ensure that the processing of data – collection, use, sharing, dissemination, or otherwise – is tracked and securely recorded and stored.
Benefits of the GDPR
While you might be thinking that there are too many rules and regulations to follow, the GDPR has inherent benefits, by both safeguarding the privacy rights of individuals and helping you to streamline sensitive data management in your business. The GDPR is particularly beneficial if you work with two or more EU states. From May next year, you will deal with a single data protection supervisory authority, not one for each country. Essentially the GDPR is a one-stop shop that will promote simplicity and cost savings for businesses.
Consequences of non-compliance
You already know that the ICO is entitled to impose a maximum monetary penalty notice of £500,000 for serious breaches of the DPA. Although they have never issued a single fine over £400,000, the ICO is increasingly clamping down on non-compliant organisations. In 2010, only 2 penalty notices were issued for DPA-related offenses totaling £160,000. In 2017 to date, 56 companies or government bodies have been fined by the ICO totaling more than £4,000,000. The ICO website contains information about the latest fines and breaches. Individuals may face criminal prosecution for non-compliance, and the ICO can also serve enforcement notices and has the authority to conduct data audits without consent.
When the changeover comes in May next year, organisations that have committed data breach will see a dramatic increase in the fines they’ll be required to pay. Under the GDPR, penalties have an upper limit of €20 million or 4% of annual turnover – whichever is higher. Imagine that a company has a turnover of £5 million an commit a serious breach. What fine might be imposed by the ICO using the new regulations? You do the maths. Clearly, the threat of insolvency or closure as a result of GDPR penalties is one that any SMB owner needs to be cognisant of.
Here’s some more food for thought on GDPR non-compliance: In the news at the moment is the large-scale breach of Uber’s data. Hackers stole the personal information of 57 million customers and drivers, including names, email addresses and mobile numbers. Worse still, Uber has confirmed that it paid the hackers £75,000 to delete the data and not say a word. Uber kept quiet for over a year; the breach and its concealment were reported by Bloomberg in November this year.
Had the GDPR been in effect, Uber would have had to inform data regulators within 72 hours. If they were found to be in breach of the regulations, a fine of €20 million would have been levied since Uber’s annual revenue is in the billions. Dean Armstrong QC, a cyber law barrister has said that Uber will feel the biggest impact on “reputation, which although harder to quantify than a fine could far outstrip any penalty handed to them by a regulator.”
Take the ICO test
The ICO is aware that organisations are concerned about being prepared for the forthcoming GDPR in May 2018. On the ICO website, you’ll find a wealth of information to assist and guide you in preparing for the regulatory changes ahead. The ICO also has an online Getting Ready for the GDPR checklist that contains 13 quick response questions to ascertain how well-positioned your company is for GDPR.
The ICO checklist will help you to assign responsibilities to manage the transition to GDPR and guide you in assessing and identifying areas that could result in compliance problems. The outcomes of the checklist questions can also be used to promote general awareness of the GDPR in your business and to educate your staff on the changes to the current legislation.
Managed services and the GDPR
If you are feeling overwhelmed by the complexities of the GDPR, feel that you won’t be ready in time, or that you don’t know where to start, don’t panic. Besides accessing information from the ICO, Microsoft and other external resource providers, you can always approach a Managed Service Provider (MSP). Your local MSP will have the expertise and experience to ensure that your SMB is GDPR ready on 25th May 2018.
An outsourced MSP will provide your SMB with sound advice and guidance on all aspects of GDPR implementation. Some of the services that an MSP offers to SMBs include:
- explaining all facets of the GDPR and their impact
- determining if the GDPR applicable
- classifying all forms of personal data that is accessed, processed and stored
- establishing a personal data inventory
- implementing a robust data governance plan
- taking appropriate technical and organisational steps to avoid loss of personal data
- creating systems to detect and respond to vulnerabilities and data breaches
- using auditing tools for the tracking, recording and storing of processed data
Parting GDPR words
Nothing can be done to change the fact that the GDPR will be enforced across the European Union next year. What can be done is to prepare your company for the legislation in a timely, calm and responsible manner. Whether you decide to go it alone, relying on the guiding resources from the ICO and Microsoft, or draw on the skills and talents of an MSP, your SMB needs to lay the groundwork for incorporating the GDPR into daily operations. You cannot risk non-compliance and its aftermath.
At the end of the day, the GDPR is a piece of legislation designed to protect the rights and freedoms of everybody, your staff included. The GDPR will make business practice transparent and ensure that use of personal data is legitimate. By applying transparency and legitimacy to your handling of personal data, you need have no fear of the GDPR. You can look forward to a prosperous and secure future for your company and clients.
