We explore how businesses could be affected by the Data Protection Bill
New, stricter legislation around how companies handle customers’ data is fast approaching, but most of it is common sense, explains Nik Rawlinson
The Data Protection Bill, which started its path through Parliament in September 2017, was a headline clause in last summer’s Queen’s Speech. In many ways, it’s our first tangible step towards Brexit, putting a range of EU laws onto our own statute books in advance of our departure. Key among them is the General Data Protection Regulation (GDPR), with which we’ll need to comply if we want to trade data with the bloc’s 27 remaining members.
The bill itself has been published on the Parliament website ( pcpro.
link/279bill), but at 203 pages, many of them technical, it’s not a light read. Elizabeth Denham, the information commissioner, described it as one of the final pieces of much needed data protection reform, and a great part of it seeks to regulate how much data businesses can gather – and what they can do with it once they have.
First steps
Most immediately, businesses need to make sure they can identify a user’s specific data and, if required, remove it from their databases. If you’re planning for GDPR, which the UK will implement in May 2018, you should already be well placed to do this, as Ian Kilpatrick, executive VP for cybersecurity at Nuvias, explained.
“If we find there are any major divergences [from GDPR] where the UK has proposed increased regulations, my expectation is that they would be filtered down in order to avoid confusion. It makes no sense to have a stronger variation of this law when what we’re trying to do is agree a standard across Europe.”
The government claims the act will be more appropriate for the “Digital Age”, giving consumers greater control over the use of their own data, a right to be forgotten and to have any social media posts made before they were 18 deleted. It will also make it easier to transfer data from one provider to another, with an option to have it processed manually, rather than by an algorithm, when it could be used to affect which products they’re offered, and at what price. Much of this draws from EU provisions.
“The Data Protection Bill will be the UK view of GDPR,” explained NTT Security’s Rob Moore, but there will be some key differences. “It includes law enforcement provisions covering the transfer of data between police organisations across the EU,
“Businesses need to make sure they can identify a user’s specific data and, if required, remove it from their databases”
and there’s another section focused purely on how national security organisations within the UK will be processing the data… it’s interesting to read because the rights that you have under GDPR also apply to the law and security sections.”
Personal implementation
The regulations in both GDPR and the Data Protection Bill are intentionally opaque. “It’s designed around data protection and how to achieve that, which is why some of it is much more vague than you would expect or might have wished for,” said Kilpatrick. The clauses set out what must be achieved, not how it should be done, so that businesses can formulate whichever solution suits their way of working.
However, as Rob Moore points out, compliance will require many businesses to reverse their usual way of thinking. “There’s no expectation that you’re going to gold-plate all of your security controls, because that’s not good business sense,” he said. “You have to look at the data you’re collecting, reduce it if you can, then run a risk analysis against it; not from a business risk standpoint, but by approaching it with the risk to the individual in mind. If the data is lost, someone gets access to it or it’s published online, what is the risk to the rights and freedoms of the data subject? If all you have is a list of email addresses, you’re not going to be expected to use full encryption, but you do have to look at the risk and put the controls in appropriately.”
Data mapping is key: auditing what you’re gathering, how you’re storing it and who has access to it. By minimising duplication at each step, you’ll make compliance far easier – particularly if a data subject later exercises their right to be removed from your records.
It’s not something that Kilpatrick believes is going to happen en masse, but it needs consideration. “I don’t envisage a vast swathe of consumers asking [companies] to remove their data, but a number of people who are more aware, or are activists, will,” he explained. “[Businesses need to] check their existing records, then do double subscriptions. Ask people if they still want to be included in your data lists and don’t assume that if someone doesn’t reply they’re happy staying on the list, because you need active consent.”
The right to change your mind
Naturally, this will mean that marketing resources such as customer lists are going to shrink, but it’s the safest way a firm can make sure it’s compliant – and the cost of potential lost business will likely be smaller than a fine for non-compliance.
“One of the interesting things is that this bill makes it as easy to remove consent as it is to give it, so there must be a means of facilitating this,” Moore said. “From an architectural perspective, businesses need to look at the public-facing parts of their IT and ask how they’re going to first gain consent and inform people of their rights, and then how they are going to facilitate withdrawal of that.”
Things will likely be complicated by any sharing of that data to third-parties, as this will be further affected by the relationship between the person who gathered the data and the party that’s processing it. “If I collected your data as the controller and someone else is processing it on my behalf, it’s down to me to [action the removal of] that consent,” Moore explained. “If it’s a controller-tocontroller relationship, though, it would have to be between the data subject and the other organisation.”
Both Moore and Kilpatrick recommend that businesses audit their existing data so they know what it is and where it’s being used – and make plans for keeping the audit current. “The ICO [Information Commissioner’s Office] will want to see where you’re making an effort and where you’re putting your controls in. If you can only say that you did a data mapping exercise a year ago but have done nothing since then you can’t show evidence of ongoing control,” Moore warned.
The fines for non-compliance stretch to 4% of a firm’s global turnover for serious, repeated breaches, but Kilpatrick urges British businesses not to worry. “It’s very much based on behaviour, so it’s not like you’ll be fined 4% if you lose data,” he said. “More likely you would have to lose data, fail to report it, fail to have a data protection officer and not have taken any steps to anonymise the data. In that case, you’ve shown a complete disregard. In reality, if you look at large organisations, not many of them tick all of those boxes, but if they tick some of them there will be mitigating circumstances.”
There’s still time
Fortunately for British businesses, there’s still time to get things in order – and those who have made a start on accommodating the requirements of GDPR shouldn’t need to either roll back or revise what they’ve already done. The bill is still at the start of its journey towards becoming law, and GDPR will go live before it’s passed.
Much of what the Data Protection Bill contains should be common sense, and it merely formalises what most consumers would consider to be the “polite” and correct way to handle their data. Approaching it from this point of view certainly makes wading through those 203 pages feel a lot less intimidating.
“Ask people if they still want to be included in your data lists and don’t assume that if someone doesn’t reply, they’re happy”