Businesses warned: UK Data Bill may be just the tip of the data protection iceberg

Business Insights
16/08/2017
Subscribe


Businesses are being warned there is a definite trend towards ever-greater legal requirements over how data is stored and collected – and it can no longer be ignored.


Withdrawing Personal Data Consent

The UK Data Protection Bill hit the news this month, handing Britons increased rights over the use of their personal data.

It will make it simpler for people to withdraw consent for their personal data to be used, allow them to ask for it to be deleted or updated – and also require firms to obtain explicit consent to process sensitive data in the first place.

The bottom line is that in future businesses will need to know exactly what data they store, how to access it and how to edit it. And in addition they must be certain that the data subject has given proper consent.


GDPR

The Bill will come as no surprise to those who have followed the progress of the EU General Data Protection Regulation which is due to come into force in May 2018 and which contains highly similar language.

In fact, there has been a string of recent legislation all designed to tackle the issue of data protection and regulation.

These include:

  • Privacy & Electronic Communications Regulations (enforcement May 2016)
  • Payment Services Directive 2 (enforcement Jan 2018)
  • EU General Data Protection Regulation (enforcement May 2018)
  • Network and Information Systems Directive – consultation period
  • UK Data Protection Bill – in Queen’s speech and more details published in August


‘Greater and more detailed control’

John Culkin, Director of Information Management at Crown Records Management, believes the direction of travel is very clear.

“Businesses now need to realise that there is a definite trend towards legislation which requires organisations to have greater and more detailed control over personal data.

With increased legislation from the UK, EU and many other governments worldwide the direction is all one way – more protection and higher penalties for getting it wrong.

Most senior staff in companies are well aware of the fiduciary duties around money and property but how long can it be before the highest standards of care are demanded of personal information too?”


Culkin believes the publicity around new data protection regulation, together with a series of high profile data breaches, has now created an environment where shareholders are far more aware of data issues and nervous about how they may affect the business.

He said: 

“Shareholder interests are already being directly hampered by loss of data - we saw the TalkTalk share price fall dramatically after a breach and other high profile cases have produced similar results.

So there is already a direct correlation, yet still “data” issues are often relegated to IT to deal with as an operational issue, ignoring strategic opportunities in a data-led age. 

Whole companies are built on data and whole industries affected – so the ostrich response of ignoring the obvious change is no longer good enough. It’s not one piece of legislation but a whole wave of them, and it’s not likely to stop.”


A recent Crown Records Management survey of IT decision makers at companies across the country revealed some worrying results when it came to attitudes towards data protection.

These include:

  • 56 per cent have not yet undertaken an information audit, meaning they may not have a clear picture of data in the business.
  • 24 per cent had cancelled their plans to prepare for the EU General Data Protection Regulation in light of Brexit. The UK Data Bill proves they were wrong to do so.
  • 44 per cent don’t regularly review what data is stored in the cloud or on premise.
  • Only half are ‘very confident’ they have a full and accurate picture of all the information they hold in the business
  • Only 45 per cent are ‘very confident’ their business currently complies with the requirement to obtain explicit consent to hold data for specific purposes.


Culkin believes the key to improving data protection is strategic input at board level to change the whole culture of a business.

“It’s clear from these results that not all businesses are taking data protection and information management seriously enough. The solution involves people, processes, culture and putting customer data first rather than just technology,” he said.

“Until boards stop thinking about managing data as an IT cost rather than an investment in their future, not much will change.

“What’s important now is for businesses to respect people’s data and put good data governance in place. Those who do so may also find rich rewards because customers increasingly value the safety of their data. It will also allow companies to worry a lot less about possible fines.”

visit www.crownrms.com