Organisations should not wait for the EU to finalise new privacy rules before taking action. This was the message from the ICO as the UK data regulator released both a 3 year corporate plan, alongside the results of a new annual survey into consumer attitudes to privacy and data protection last week.
Although it seems likely that the Data Protection Regulation (DPR) won’t come into force until late 2017 at the earliest, the text is expected to be agreed by all parties by the end of this year. There is still a lot of uncertainty over the finer details of the law, including what will or will not be considered as personal data, however it is safe to assume that many of the broad rights of individuals and responsibilities of organisations are not going to change too much.
There is therefore an opportunity for businesses of all sizes to begin some preparation now. And one good reason to avoid delay is financial. If you wait until the text is agreed to act, you are likely to find skills and expertise are suddenly in short supply and high demand. When that happens prices rise and opportunists with no real expertise step in to offer quick fixes that could leave you out of pocket and no better protected than before.
The big question of course is, where do you invest now in order to save later?
These are what I think the top three issues are:
- Transparency with consumers is key. Organisations will need to be able to explain in clear language what data they collect from and about individuals, and how they make use of it.
- Be prepared to defend your data use practices. Accountability is an important concept in the DPR, and this is about having a lawfully valid reason for your data use practices, which you are able to justify if challenged by either customers or regulators.
- Minimise risk wherever you can. Information about people is an increasingly valuable commodity, and that comes with increasing risks, both to the individuals themselves and to your business. Data breaches and cyber-attacks are high profile examples, but there are others. Understanding these risks is the first step in counteracting them. Big fines are most likely to be handed out to organisations that fail to manage risks properly – and of course those fines are risks in themselves.
The first step in preparing for the impact of the DPR in all these areas comes down to one thing: Know Your Data.
To get a complete a picture you need to document:
- What data are you collecting on individuals?
- Where does it come from?
- What are you using it for?
- Where and how are you storing it?
- Who is responsible for it and who has access to it?
- Are you passing it on to any third parties?
Of course, simply having all this information to hand is not going to make you compliant, but it establishes a baseline to build a compliance program on.
What it does do is enable you to answer questions such as: Are we keeping people properly informed about data use? Do we have a justifiable reason for our collection and use of data? Are there steps we can take to reduce unnecessary use or risk?
Whatever the final form of the DPR in terms of its scope and the level of responsibilities placed on organisations, having the answers to these questions will be key to any project designed to ensure compliance.
And if you don’t Know Your Data, all you can be really sure of is that your business is carrying unknown data risks. In a world of both big regulatory fines and bigger possible brand damage if you are caught doing something wrong with people’s information, that’s a pretty significant risk to carry.
We Can Help
If you just need somewhere to get started, then you can sign up for our DPR Readiness Toolkit, which includes a free spreadsheet template to start documenting your use of personal information.
If you need more detailed advice and help, then please give us a call.