As we always say – data protection isn’t just one of those things we have to do because of bureaucracy and political correctness; we may not think it matters, until it’s our personal data that’s been compromised. Then we’ll really think it matters.
New law comes into force in May 2018 – not long now – and this is a European regulation, the General Data Protection Regulations 2016 (GDPR). If you’re wondering if it’s affected by Brexit – it’s not as the ruling is already part of UK law. European data protection legislation is widely regarded as the international gold standard, and there is no likelihood that the UK will look to water that down post Brexit, because it would damage the ability of the UK to do business internationally.
In the UK this is administered by the Information Commissioner’s Office (ICO) which produces excellent, accessible guidance for businesses on data protection, in some cases specific to particular types of business – such as telemarketing businesses, and those most likely to be using databases. Charities and public authorities are vulnerable, and the ICO target those organisations which are most likely to handle personal data.
The ICO is not afraid to name and shame – they publish and tweet their decisions and fines. At the moment their fining abilities are limited – to £500,000. Even the massive TalkTalk breach therefore only attracted a £400,000 fine, because that was 80% of the maximum. Under the new regulations the maximum fine is 4% of global turnover – for TalkTalk that would have been £67 million. We think businesses are going to take this more seriously …
Many companies are going to have to appoint Data Protection Officers, who will need to be specialists in the field – or become and remain specialists. We expect this might be outsources in some cases. The prime responsibility of the DPO will be to report breaches to the ICO – in effect, to whistleblow on their own businesses. We can see this being a really uncomfortable role. We’re all going to have to get used to it.
Even if we do think data protection is a nuisance, then – and we’d be wrong to think that, in our opinion – the days of taking it lightly are really over. We all need to understand it (and this is something we are able to provide training in). The costs of ignoring this – financial, reputational and for the survival of business – are going to be far too high.
Paul Berwin is a Commercial and Digital Law Specialist. He is Founder and Senior Partner at Berwins Solicitors.