How safe is your customers’ data? Are you managing their information responsibly, and, more importantly, correctly in the eyes of the law? The new Data Protection Bill is designed to update the existing laws, and hopefully plug a few gaps along the way. It’s big, it’s important, and it affects every single business that collects any kind of client or customer data, no matter how inconsequential a tiny packet of data may seem. It also gives your customers the ‘right to be forgotten’ – a major development and one you have to be aware of.
The new bill gives greater customer consent over not only how their personal information is used, but how it’s stored, who has access, and how long companies can keep that information on file. The bill also means that customers can now request that their data is returned to them, and the holder is obliged to comply.
Given the number of massive data breaches over the past couple of years (from the TalkTalk debacle through to the most recent NHS hack), it’s about time that something was done to give the public a little more confidence in how businesses, and the public sector, stores and uses personal data.
Tying in with GDPR
The Data Protection Bill is also designed to herald the introduction of EU guidelines as laid down in the sweeping GDPR regulations, which land on our shores in less than a year and are set to be implemented into UK legislation, regardless of whether or not we’re in the EU at the time. Brexit be damned – GDPR is coming and everyone will have to fall into line.
The combination of GPRD and the Data Protection Bill demonstrates very clearly that the UK government is taking data protection very seriously. Its little surprise, though, as the government cannot afford not to treat the issue of data protection as a priority. It has the potential to affect every single person in the UK, who also just happens to be a voter.
It’s also a message to our EU partners that post-Brexit, the UK will have a ‘strong and stable’ data protection policy, ensuring that businesses trading with UK companies can do so with confidence, and without worrying whether a data leak will compromise their personal information.
The impact on e-businesses
So what does all this mean for e-businesses? Well, because e-businesses are at the very forefront when it comes to using personal data, and trust is always an issue when it comes to online activity, they’re going to have to respond quickly and proactively to any changes. Industry leaders believe that the new act raises the bar for businesses, especially as the information covered by the bill has also extended. Now, businesses will need to protect not only the financial information of their customers, but their IP addresses, online DNA and even cookies. So everything from postcodes to browsing history is protected.
Taking another look at your T&Cs
Businesses will also need to have an effective consent policy in place, so those Terms & Conditions documents may need looking at again. Businesses cannot get around the legislation by claiming ignorance, either, so they’ll have to know exactly how and where data is being stored.
The ‘Right to be Forgotten’ will be eagerly seized upon by a public that’s increasingly concerned about just how much exposure their personal data is subject to online. However, e-businesses that demonstrate a good understanding and a flawless interpretation of the new legislation could actually benefit from these changes, by raising customer trust levels to new heights. Those who don’t comply will find a rapid decline in customers, as their demographic seeks out competitors who offer a more secure online environment.
Non-compliance could be expensive, too, with fines of up to 4% of global turnover. That means fines could run into millions of pounds, so effective data management just took on a whole new level of importance for e-businesses of all sizes.
Compliance is a necessity
The key is to identify exactly which data is subject to the new legislation, and to ensure compliance. That could mean legal experts who are specialists in e-commerce and data protection legislation are going to be busy over the coming months, as businesses rush to ensure they’re complying fully. From T&C documents and operational guidelines, through to data management policies and compliance with the Right to be forgotten legislation, staying on the right side of the Data Protection Act and GDPR has never been more important. The existing DPA was created before e-commerce was even a ‘thing’. Because the pace of change has been so fast, customers’ expectations and how they use e-commerce has changed well beyond the limits of the current law, which is why the new legislation has been brought in.
But with just months to go before GPRD goes live, businesses have to act sooner rather than later to ensure they are complying. And a good place to start would be to talk to their legal team to ensure they are ticking all the Data Protection boxes as quickly as possible.