The EU's General Data Protection Regulation is not just a tick in a box
This article was published first in Business Insider
Advances in technology and the sheer volume of data now available to businesses create significant opportunities to gain competitive advantage. Scottish firms, facilitated by the likes of the Datalab with hubs in Aberdeen, Edinburgh and Glasgow, and the proximity of world-class industry and university institutions with leading research into informatics and computer science, have a great chance to exploit that opportunity.
But firms across all sectors will also be familiar with the increasingly challenging task of managing, processing and storing data securely.
Cyber-attacks can cause short term operational chaos, followed by longer term reputational and commercial damage.
Additionally, consumers are increasingly concerned by the extent to which their personal information is used in marketing activities and passed to third parties, with limited opportunities to opt out.
Now, tightening many of the existing regulations that relate to the security and use of personal and sensitive data, is the EU’s General Data Protection Regulation (GDPR).
Coming into force in May 2018, the GDPR will bring with it a range of new requirements to those who control and process personal and sensitive personal data.
This will impact virtually every business in Scotland, regardless of whether it deals directly with customers.
From personnel records to supplier databases, all companies will hold data that is subject to the new requirements.
This is clearly going to be a high profile focus for government, which has confirmed earlier in the year that it will largely follow the GDPR when the UK leaves the EU.
This will include the extension of liability not only to those that control data, but also to organisations who process data.
Companies need to understand the full extent of their responsibilities and manage them carefully else Scottish organisations will face a fine of up to £17 million (or a fine of 4 per cent of global turnover, if greater) if they fail to protect against personal data breaches.
Going forward, marketing permissions will need to be obtained on an ‘opt in’, rather than an ‘opt out’ basis, and customers have the right to ask a firm to erase any data about them.
There is also a new 72 hour time limit on notifying the regulator of a data breach. This means that firms will need the right people, processes and technology to detect, respond, investigate and report a breach quickly.
While this can appear daunting, there is help available in the tools and guidance recommended by the Information Commissioners Office (ICO).
One of the most important of these is the advice on carrying out data protection impact assessments.
These evaluate the privacy risk of the personal data a company holds by looking at how the information is obtained, how it is stored and how it is used. The company can then develop safeguards and mechanisms to mitigate those identified risks.
Firms should start a data mapping exercise now to assess the types of data they hold. This will help shape and prioritise the activities needed before the GDPR implementation.
Larger companies in particular should recognise that this can be a time consuming and challenging process, especially for larger operators.
It is also important to make key stakeholders and staff aware of, and appreciate, how the change in law will directly impact their day to day activities, especially for those in customer facing roles.
However, the GDPR should not just be seen as a burden to manage, but as an opportunity to review and reinforce companies’ cyber resilience.
With a significant number of Scottish businesses experiencing at least one data breach or cyber-attack in the past year, this is a pressing issue.
Getting data protection and cyber security right will not only bring real business benefits but reduce the risks of a breach.
The ICO has recently made it clear that they will expect companies to have started work well ahead of the deadline of 25 May 2018 and those that have put the necessary safeguards in place will be looked upon favourably if they do experience a data breach.
It is vital that Scottish businesses start preparing for the GDPR now.
Mike Teall is a strategy, risk and analytics expert at PA Consulting Group