Data protection – a changing landscape

Legislation around how data should be handled, protected and used has existed since 1984 – but technology has begun to run away with us.

Back then, few people had PCs, even fewer had mobile phones and tablets were something doctors prescribed when you were ill.

Even when the government introduced the revised Data Protection Act in 1998, mobile phones made calls and sent the occasional text, and tablets were still prescribed by doctors.

The past 20 years have seen a massive change in the way we communicate with each other and the way we are communicated with – we send texts and emails more than we talk to people, we book appointments online and receiving a cheque is an inconvenience, so technology has presented us, as businesses and individuals, a challenge on how we both protect ourselves and our personal data from identity fraud and misuse.

Legislators have recognised the 1998 act is really no longer fit for purpose and spent the past four years consulting, drafting and finalising a new European General Data Protection Regulation (GDPR), which finally was adopted into law in April of this year and, in May 2018, regulators will be able to enforce according to that regulation.

So, what does this mean?

In short, it means greater responsibility on businesses and greater protection for the consumer (data subject).

Data collection

When collecting data, we are now going to be required to furnish more information. Our privacy notices – the how, what and why of collecting the data – need to be fully informed and unambiguous and contain, but not limited to:

• the name of the data controller
• the purpose for which the data is being collected
• the retention period of the data collected
• how to get the data deleted
• complaints
• the name of the data protection officer, if required

Drafting the privacy notice will determine whether the data can be used compliantly.

Data security

Two key considerations exist relating to the security of data you hold:

• how secure is it?
• who has access to it?

Data protection officer

A company whose core business or a primary activity is to consistently monitor customers’ data is required to have a suitably qualified data protection officer. While it may well be many veterinary practices would not come under this requirement, a train of thought says to have access to someone who is suitably qualified will demonstrate responsibility and awareness to your customers’ data.

Rights of data subjects

Data subjects have always had the right to access their data, through subject access requests, but now that has been extended, times to respond have been shortened and the ability to charge has been withdrawn – people can now also request their data to be deleted, withdraw the right to process and request portability of their data to another provider.

Fines

The ability and powers of regulators to enforce the regulation has increased and fines up to 4% of global annual turnover or €20 million (£17 million), whichever is higher, can be applied – it is not clear yet how.

These would be applied to smaller businesses, but the regulation has certainly increased the potential of action.

What does this mean for you?

The responsibility for you to collect, store, use and protect your customers’ personal data has always been there, but now additional accountability measures are in place.

With the increased fines, businesses need to look at how they collect their data:

• Are they fully informing customers on how they use it – do they want to use it for marketing (informing of their products and services)?
• Who has access to the data in their organisation – are they confident they can demonstrate accountability and compliance with the regulation?

What about Brexit?

We don’t know when Article 50 will be implemented, but once it has, we have two years before we are out of the EU.

Although we have two years to be compliant with the regulation, can we afford to wait?

We will still need to upgrade the Data Protection Act 1998 and the probability is, with certain amendments, the European GDPR will be adopted into UK law, so the points I have raised will probably need to be implemented – a view shared by others in the world of data protection and privacy.

Summary

We have a new data protection regulation that will probably be adopted in some form when the UK leaves the EU, so look at the way you handle customer data, consider your collection practices and make your business one where customers trust their data in your hands.

Data protection is not something to be scared of – if done correctly, it will have a positive impact on your business. Don’t ignore it in the hope it will go away.