The War on Data
There is an invading force approaching our shores in the name of GDPR, and we all need to be ready to embrace it on the beaches, on the landing grounds, in the fields and in the streets
On 25th May the General Data Protection Regulation (GDPR) comes into force, and it will affect each and every one of us. In fact, any business must be prepared and its practices up to date if it wants to avoid the risk of investigation, prosecution and, potentially, heavy fines. But, in the immortal words of Dad’s Army’s Lance Corporal Jones, “don’t panic!”
When the Data Protection Act was introduced in 1998, it was revolutionary. It provided safeguards for individuals on the use of their personal data, and clear rules for companies about how they could use it. But 20 years is a long time, especially when you consider the speed of the technological change and the way organisations are collecting and utilising our personal data. The landscape is entirely different, with web-based services, social media and sophisticated advertising mechanisms monitoring every area of our digital lives. There is increasing competition and profits to be made from mining and manipulating our personal data and, while the Data Protection Act has tried to keep up, it just wasn’t designed for today’s world. Recognising the struggle, recently highlighted so publicly with the Facebook data breach and Cambridge Analytica’s claimed manipulation of election and referendum results around the globe, EU lawmakers began working on something new: a wide-ranging set of rules that would not only bring the law up to date, but would apply to all EU countries, in the form of GDPR, and it’s good news for us all even if initially we have to change our working practices. As small businesses, we’re all faced with the task of understanding a huge new set of rules that are pretty complicated and a very dry read! Understanding the implications is a daunting task and, as usual, opportunists are quick to lace the internet with ‘guidance’ and scaremongering articles that tell us ‘how to prepare for GDPR’, without actually telling us. They want you to submit your details and pay for their advice. Buyer beware…
Who Do You Think You’re Kidding?
I’ve scoured the Internet for hours and one thing is blisteringly clear – much of it is open to interpretation. That’s understandable; there are so many different types of business, all operating in different ways, so nobody is likely to put their neck out and provide exact guidance on what each of us needs to do. It is true that GDPR tightens up our (pretty lax) data protection laws, and there are some hefty fines for non-compliance. It will affect larger companies the most, especially big ones like Facebook and Google who use our data in lots of clever ways. In the UK, the Information Commissioner’s Office (ICO) – an independent authority on all things data protection – will have the power to increase fines from £500,000 to €20 million for the biggest, brashest offenders. This has to be a good thing, forcing big business to take data protection, security and privacy seriously, and encouraging greater transparency between business and customer. As consumers, it provides us with greater powers and rights over the collection, storage and processing of our personally identifiable information. As small businesses we are not off the hook. Some experts will tell you (with alarming certainty) that it doesn’t apply to us, because Article 30 of the GDPR says businesses with fewer than 250 employees aren’t bound by it. Sure, bigger businesses have more work to do, but all businesses will need to abide by the rules, and misuse of someone’s data can lead to compensation to recover both material damage and non-material damage, like distress. So, in our increasingly litigious society, ignore them at your peril…
Don’t Tell Him, Pike
In my personal opinion, the risk of falling foul of these new laws is tiny if you simply adopt a sensible approach to handling people’s personal data. In reality, most people don’t know their rights under the Data Protection Act, and that will be the same with GDPR. Those who do may ask you how you store and use their data, but will be happy with an assured response, as trust between driving instructor and student typically runs pretty deep. However, good data handling practices should be something we all adopt by default; not because we have to, but because we respect the rights of those who entrust us with it, and because we want to. For example, there are many who still feel it’s best to capture sensitive data using ‘good old’ pen and paper. I disagree – paper isn’t secure unless it is locked in a filing cabinet. It’s better in a professional grade, secure, efficient, cloud-based database.
Permission to Speak
In the end, it is up to you to interpret the rules appropriately for your operation; you are a ‘data controller’, and it’s your responsibility to comply with data protection rules. So, do some research, and apply what is right for you, and going to the Information Commissioner’s Office website at ico.org.uk is a good place to start. But to give you a heads up, here are some (non-legally-binding) pointers you might want to consider. Personal Data: Any piece of data that can be used to identify someone. In your case, this will include names, contact details, date of birth, driving licence number or a copy of it, and social media links. The best rule here to make your life simpler is: if you don’t really need it, don’t ask for it. Consent is Key: It is essential you gain evidential permission to obtain, keep and use personal data. Adopting simple language is essential, but you have to clearly explain how you intend to use it. Silence or inactivity does not constitute consent, as your customer must provide clear and affirmative permission. This means they have to actually ‘tick the box’, rather than removing the tick. Furthermore, you have to have records of when the consent was granted. My personal recommendation here, is to update your Terms & Conditions to explain:
● what you need them to provide (e.g. contact details and driving licence)
● why you need it (e.g. to communicate and check eligibility to drive)
● where you’ll store it (e.g. in a secure cloud-based system)
● that you’ll provide full visibility on all the data you store about them on request
● how long you’ll keep it (e.g. for as long as necessary to provide tuition and in line with your responsibility to maintain effective records)
If you plan to communicate with them about anything other than their lessons (e.g. marketing or sales campaigns), you need to ensure they understand this and that they are completely happy
for you to do so. If you don’t have Terms & Conditions that outline how you will work with customers, it’s time to get some. Storing Information: You must know where any stored information is located and be able to access it. By consolidating your business records into a single, secure system, you’ll make your life much easier. If you’re using other means to record personal data relating to your customers (e.g. spreadsheets, paper diaries, Google calendar etc), make sure they are secure from loss or theft. If your customer asks you to confirm where their data is, you’re legally bound to comply with their wishes.
Delete & Forget: Your customers have the right to withdraw their consent for you to hold and use their data at any time. It must be as easy for them to withdraw consent as it was to give it. They also have the ‘right to be forgotten’ -you must permanently delete any personally identifiable information you hold about them, on request. Data Breach: A personal data breach occurs when the confidentiality, integrity or availability of personal data is affected by a security incident. For example, if your mobile phone is stolen, and you don’t have any device security (e.g. a PIN code) in place to protect it, or if you send someone’s details to the wrong recipient. In the event this happens, you’ll need to document it, determine the severity of the risk, and notify anyone affected. If it’s a serious breach, you’ll need to notify the Information Commissioner’s Office (ICO) within 24 hours, who will help ensure you take the correct remedial action.
Stand At Ease
Now is the time to carry out some research and get professional advice if necessary. It is essential you are transparent with your customer about how you plan to use their information, only collecting what you need, you know where it is securely stored, and don’t deviate from what you agreed with them. If you do, the financial and reputational damage to your business could be severe. You have been warned.
Dan hill – https://www.mydrivetime.co.uk/