Changes to data protection are on the horizon
A number of recent data breaches have caused significant damage to company reputations. These include:
- TalkTalk suffered a cyber-security breach in 2015 resulting in the personal data of over 157,000 customers being exposed. TalkTalk was fined £400,000 for security failings. Furthermore, TalkTalk claims the incident cost the company £50 million with the loss of 100,000 customers.
- In August 2016 FTSE 100 accountancy and business software developer Sage notified up to 280 of its UK clients that there may have been a data breach following the unauthorised use of an insider’s login credentials.
- Morrisons is being sued by nearly 6,000 current and former members of staff after their personal details were leaked by a former colleague.
The EU aims to tackle the problem by enhancing data protection within new consolidated legislation. The General Data Protection Regulation (GDPR) will not only ensure a more widespread approach to tackling data breaches but also address the significant advance in technology that has taken place in recent years. A detailed breakdown of the proposed key changes and how to prepare your business can be found in our data protection fact sheet.
It is currently uncertain what effect Brexit will have on the UK’s implementation of the proposed regulations which are due to come into force in 2018. However, given the government’s wish for the UK to continue to trade with EU, it is unlikely that the government will want to give the impression that the UK it is falling behind in data protection.
Although the new regulations provide many benefits in terms of harmonising legislation across the EU, a significant amount of time and resources are likely to be utilised by businesses in order to adapt to the changes. Although the familiar terms of ‘data controller’ and ‘data processor’ are retained in the new regulations, data processors will have new obligations to implement data security requirements and make security breach notifications. Processors may be subject to hefty fines if they fail to comply. Data controllers will be required to act in accordance with new principle of accountability and adopt policies and implement measures to ensure that they can show that personal data is being processed in accordance with the regulations.
There are a number of steps businesses can take to prepare for the introduction of the GDPR:
- If your business is not currently subject to the Data Protection Directive, check to see if the wider scope of the GDPR will apply.
- Start to consider a response plan – what will you do if there is a data breach?
- Review your data policies – are your employees clear on what they can and cannot do?
- Ensure that the data you hold is entirely necessary and up to date.
- Consider whether training sessions would be appropriate for your workforce.
- Review agreements between data processors and data controllers to ensure that both parties are clear on their obligations and the potential risks of non-compliance. Ensure you are clear which category you fit into.
No amount of training or paperwork can be guaranteed to prevent a sophisticated criminal attack. Nevertheless, it can significantly mitigate the consequences of the sort of human errors seen at the heart of most data breaches and protect businesses against potentially serious liabilities.
Please contact us if you would like to discuss how we can help you to protect your business against breaches of data protection requirements.