Leo Martin of business ethics advisers GoodCorporation argues that early preparation for new laws makes good business sense
The government’s plans to revise the UK’s data protection laws, announced this month, will effectively ensure that the UK remains compliant with the EU’s General Data Protection Regulation (GDPR), which is applicable from May 2018.
This announcement is helpful for businesses and should clarify some of the confusion around the need or otherwise to prepare for the GDPR. According to a Netskope survey conducted in January 2017, more than half of the IT and security professionals surveyed had never heard of the GDPR, and three-quarters reported that their employer did not provide any information in relation to it. In addition, a recent study claimed that a quarter of all businesses had cancelled their GDPR preparations because of Brexit, in the assumption that it will no longer apply to the UK once the country has left the European Union.
Under the proposed new legislation, the government will be bringing the GDPR into UK law, which will help UK businesses post-Brexit. So what steps should businesses be taking now?
First map your data
The first step to take is to conduct a data-mapping exercise to ensure that businesses have a comprehensive overview of the data that is being collected, processed and held. A completed data map will show what categories of data are held and processed by the various business units, and demonstrate how data flows between business units and/or third parties.
Data controllers must know who the data belongs to, where and how it was collected, where it is stored, the precise content, when it was collected and for how long, and what the purpose of the collection was or is. Data mapping fulfils a crucial role in answering those questions and a good data map will clearly set out the flows of data and locations where data is held.
The forthcoming legislation is likely to require organisations to maintain records or processing activities (see, for instance, Recital 82 and Article 30 of the GDPR). Without data-mapping, it will be near-impossible for an organisation to meet its statutory (and often contractual) obligations in respect of collection, use, retention, disclosure and disposal of personal data.
It will be crucial to review on what basis personal data is being processed, to ensure it is done in a manner that is fair, legal and legitimate. There are several grounds on which personal data may be processed, one of which is consent. Those organisations relying on consent for processing personal data should check how they obtain such consent: the so-called “opt-out” consent, or pre-ticked boxes, or anything that assumes consent, will no longer be acceptable. It is important to make sure that consent is validly obtained, freely given, specific, and informed.
A holistic approach
One of the aims of the new UK and EU data protection legislation is to ensure that organisations put data protection and privacy concerns at the heart of their operations – data considerations should become part of the integral business functions, and not an addendum. This explains the introduction of concepts such as “privacy by design” and “privacy by default” and is likely to require dedicated training, not just for the IT or compliance departments, but to all staff members. Data breaches may occur through human error and due to a lack of specific training. As such, organisations should spend some time developing data protection training that is rolled out across their entities.
Top-management commitment is likewise crucial in highlighting the importance of data protection. The board of directors or equivalent ought to consider data protection at their board meetings, and actively promote the issues throughout the company. Data protection policies, updated to reflect the heightened requirements of the GDPR, and in time the UK’s data protection laws, should be considered, discussed and signed-off by the board, and circulated throughout the organisation.
The benefits of preparing now
Businesses should not wait for the UK Data Protection Bill to move through parliament, but proceed as if complying with the GDPR, which the draft Bill maps.
Fines for failing to comply will be significant, up to £17m or 4% of the organisation’s worldwide turnover. For the largest companies, this could mean potential fines going into the billions of euros.
The benefits of compliance go beyond fine-avoidance. According to the Department for Digital, Culture, Media and Sport, research shows that “more than 80% of people feel that they do not have complete control over their data online”. Those falling foul of the new data protection laws are therefore likely to suffer reputational damage in the eyes of an increasingly data-conscious public, so falling behind other companies in relation to data protection may mean less business in the future.
Conversely, being able to meet the GDPR’s standards by offering consumers greater control over their data, having processes in place to address erasure requests and being able to meet data portability demands is likely to make an organisation attractive to consumers inside and outside of the EU.
While such an overhaul of data processing practices may seem daunting, businesses that are prepared for the new legislation are not only protected from possible prosecution, they will also have a heightened understanding of their business structures and operations. Knowing how and where your data flows will give a good overview of every department and may uncover any duplications or inefficiencies. It should also strengthen general safety and security measures in relation to the storing and sharing of data, which should reduce the likelihood or frequency of breeches and any resulting costs. According to an extensive study by IBM and the Ponemon Institute, in the UK alone the average costs for a data breach in 2016 was a staggering £2.53m.
Protecting personal data goes beyond regulatory compliance, it should be seen as a component of good corporate governance; a function of an ethical business culture that demonstrates an organisation’s commitment to doing the right thing.
Leo Martin is co-founder and director of business ethics adviser GoodCorporation.data protection GDPR Brexit