The ‘right to be forgotten’ has made big headlines as Google and Microsoft rush to delete out-dated information in internet searches following a ruling by the European Court of Justice. But is UK business truly ready for the next wave of data reform which is approaching fast?
High-level discussions on the new EU General Data Protection Regulation – which plans to harmonise data regulation across Europe and give citizens greater control over their personal data –have begun again this month. And it is predicted to be approved next year and in place by 2017.
The expression ‘right to be forgotten’ may not be included in the final draft – it is likely to be re-phrased as a ‘right to erasure’. But nevertheless the impact on any business which handles the data of European citizens could be considerable when the Regulation, replacing the current UK Data Protection Act 1988, is adopted.
The big fear for all companies will be the huge potential fines for data breaches – up to 5% of annual turnover or 100m Euros if greater.
The regulation will also bring data processors – and not just data controllers – into the net. So every company handling data will be affected, whatever its size or business.
Other new rules will include a requirement to gain the ‘explicit consent’ of citizens before collecting their data in the first place.
These are big challenges. But below are five key areas in which companies can prepare for all eventualities by adopting basic principles of data collection, storage and destruction.
Spring-clean your data and understand its value – Start with an audit to distinguish how much data currently stored actually needs to be kept. Is it ‘records’ or in fact junk or data noise? Destroying unnecessary information can help create a clearer picture for the future, especially if data needs to be searchable and editable – which it will be under the new Regulation. For data that needs to be kept, make sure you know where it is stored, who uses it, how to access it and how to protect it. It is worth considering, too, that the new Regulation is expected to include a ‘right to portability’ for citizens who want to ask for their data in a useable format – another considerable challenge. The key to good data practice, however, is in understanding its value in the first place. Treat data like an asset and you make a good start.
Know who is responsible and assign ownership – With fines for non-compliance so high – up to 5% of global turnover for those who negligently breach the rules - it is vitally important that someone in the business takes ownership and responsibility for staying up to date with new regulations. Make it clear which role in your business has responsibility for each type of data – whether it is the IT Manager, CIO, Records Manager or an outsourced company.
Develop processes now to deal with data breaches – It will soon be compulsory for all companies in the EU to have a system in place for dealing with data breaches, including processes for notifying anyone affected. The Regulation is expected to set strict deadlines for reporting breaches both to the Data Protection Authority and to the subject affected. So why wait? Clear and well-practised procedures should be put in place now – not least to identify who is responsible for reporting.
Understand whose data it is – In the future, companies will require explicit consent from people to gather their personal data in the first place; so get those processes in place early. Any company that stores personal data should consider what the legitimate grounds for its retention are and how it will communicate this to customers.
Design-in privacy: change your culture – Start to create a company culture where privacy is considered in every process and at every level of the business. It is very likely that the first person to touch data in your company is not a senior figure – data may arrive through a customer call centre, in an email, fax or mail room for instance. Designing-in privacy – and making staff at every level aware of its importance – is the key to good data practice as data protection evolves.
The bottom line is the age of data is changing fast, no matter how the final draft of the EU Data Protection Regulation takes shape.
We are looking at a world in which citizens are demanding more and more control over their personal data – and more and more access. So although the new regulations aim to simply and harmonise data regulation, they also come with severe penalties for those that negligently breach them.
It may be a significant challenge for businesses that do not have the necessary processes – or robust enough data policies – in place. Equally, for those that fail to identify early what data to keep and what to destroy, there could be problems ahead.
But for those who grasp the nettle and see it as an opportunity to truly value data as an information asset, it can still be a brave new data world. Now is the time to prepare.
About the author: John Culkin is Director of Information Management at Crown Records Management, a data management expert with a presence in nearly 60 countries. In his role, John provides consultancy and information solutions for companies across a wide variety of sectors, from NHS Trusts to financial services, law firms and other public sector organisations. An expert in data protection, his highly-regarded white paper ‘Leaving the digital Stone Age behind’ explored the implications of the forthcoming EU General Data Protection Regulation which is expected to be passed next year.
This article originally appeared on www.idgconnect.com and is republished with prior permission.