5 minute read
Insight: Time to put data front and centre
The countdown is under way for manufacturers to comply with the new General Data Protection Regulations. David Preece, from FBC Manby Bowdler, is part of the firm’s expert team helping businesses prepare for GDPR and shares his thoughts on what manufacturers need to focus on
One of the key considerations of the regulations being enforced from May is that the new penalties coming into force are potentially devastating compared to what we have now.
There are two tiers: the first is up to €10m or two per cent of a company’s global turnover of the previous year, whichever is the higher; the second is up to €20m or four per cent of the previous year’s turnover, again, whichever is higher. This is a significant difference to the fines the Information Commissioner’s Office can currently levy.
Taking a high profile example, Talk Talk’s 2016 fine of £400,000 for allowing hackers to access customer data could have rocketed to £59m under GDPR. Figures like that should be enough to make anyone pay attention.
But it’s not just big companies which will be affected by these new rules, SMEs are not immune to GDPR and they won’t be immune to the potential fines either.
Most business owners and managers are familiar with the Data Protection Act. Since the original Act in 1994, and later revisions, it has governed how businesses store, protect and manage data.
That’s all about to change in a big way though and companies need to be able to show they have addressed those changes and are working to the new regulation from May 25th 2018.
The General Data Protection Regulation (GDPR) goes much further than the Data Protection Act, with the aim of bringing the use of personal data in line with the times we live in, where data is currency in its own right and there is so much of it being collected and shared that the abuse of it is ever more likely.
In fact, those who framed the regulation at the European level argue that it is as much about enabling those who store and process data to legitimately make a commodity of it, without rampaging over the rights of every person they hold information on.
Often one of the first questions asked on this topic is whether it should really be taken seriously, given that we as a country are on a course to leave the EU. The only answer is that these laws are due to be implemented before our leave date in 2019 and, even then, are likely to be adopted either in their entirety or as a version that closely resembles the European regulation. In any case, if you continue to handle the data of EU residents, you will need to comply with the full rules.
The next natural query is: what’s so different about GDPR? You could say it’s a root and branch reappraisal of the methods of collecting, storing, sharing and protecting data.
There is much more focus on whether and how permission to store and use the data was gained, ensuring it remains accurate, giving the subject the right to access it or to ask you to share it elsewhere and, critically, the steps you take to protect it.
It is very hard to think of a business that would not need to be taking action around GDPR. From the basic collection and use of email addresses for mailing lists, all the way through to more sensitive data, such as personal financial or health records, there are steps that must be taken and new practices which have to be introduced if you are not to get caught out.
You need to consider who has access to data and whether they are able to move it around. Yes, laptops and mobile devices are an area of risk (in this and other ways), but you even need to be considering the rather more complex issue of Internet of Things devices – the internet-connected equipment (such as TVs, security cameras, wireless switches, etc, etc) which might provide an unexpected risk to the cyber security of your business or even have the potential to leak sensitive data themselves.
This can all seem to be a very big, complex and somewhat daunting job, especially for some SME manufacturers who may not have expertise in-house to deal with the implications and implementation.
However, the businesses which deal with this well will be the ones who also embrace it as an opportunity. Many are sitting on a vast wealth of data that they are not recognising and making good use of. It could represent better intelligence about their customers and their habits, or it could be management data which can be leveraged to make the organisation more efficient and, therefore, profitable.
The steps you need to take will vary by business type and we couldn’t hope to cover them here. Fundamentally, you need to ensure that everyone in your business is aware of the changes and the care with which data must be treated.
You need to assess what data you have, how it was obtained, whether you still have the right to have or use it and who you share it with. You need systems to log how and when your data is used and by whom, ways to ensure requested corrections and updates are made in a timely and accurate fashion (and shared with third parties who may also have that data) and a process to clearly and efficiently make information available in full to the people it is about if they ask.
Extremely importantly you must take great care of data security. Breaches and losses of data are where the really big fines will be levied. The less care and preparation you have done, the more harsh the penalties are likely to be.
It’s highly likely that most businesses will need expert support to meet their GDPR obligations and the clock is now very much ticking. If you do not already have preparation in hand or know where your knowledge will come from, start talking to your professional advisors now. Right now.
Data is at the heart of the economy now. Every business is expected by law to take its responsibilities for data and the people it represents very seriously. The penalties for failure to do this will quite likely see the destruction of some businesses and, you may argue, by failing to prepare, they will have brought this on themselves. After two years of transition, ignorance will be no defence.
Key things to know about GDPR:
• Enforcement begins on May 25th, 2018
• You have a duty to notify the ICO if you become aware of data breaches
• The subjects of your data have the right to access it or ask you to send it elsewhere
• Penalties go up to €20m or four per cent of turnover, whichever is higher