General Data Protection Regulation: How will it impact the UK?

For any business that stores customer information, there are constantly evolving rules and regulations which they must adhere to. Barely a week goes by without a high-profile data breach hitting the headlines. Yahoo being a recent high profile victim.

The traditional image of a burglar in a black and white jumper has been replaced with a much more sophisticated breed of fraudsters, capable of causing havoc to a business of any size.

Unsurprisingly, with the nature of its customer data, the financial sector in particular is vulnerable to hackers. Financial Fraud Action UK recently revealed that fraud in the UK payments industry has soared by 53 per cent in a year. Worryingly, over 1 million reported cases of fraud involving online and phone banking were reported in January – June of this year.

The need for protecting customer data has long been recognised in the UK. Since 1998, the UK Data Protection Act has been in place, which provided clear legislation on the way in which businesses can obtain customer data, the kind of information they are allowed to hold and how they can use it. This is all set to change in 2018 with the introduction of the General Data Protection Regulation (GDPR), which will replace the UK Data Protection Act and affect businesses which process personal customer data.

Changes to the management of customer data

The Act will apply to both processors and controllers of customer data, so those businesses which are currently regulated by the UK Data Protection Act are likely to be affected by the GDPR. Significantly, the Act will be imposed across Europe, building a harmonised data protection regime that impacts not only on companies based in the EU but also those that want to do business here.

In essence, the Act will introduce stricter requirements around when brands and businesses can use data. This means businesses will need to be clearer about the information they are requesting from customers and how they will use it. 

The traditionally opaque, lengthy terms and conditions will no longer be an option – they will need to provide transparency at all stages during the collection of customer data to ensure consent is given unambiguously. Another crucial change is the introduction of an ‘opt-out’ box which will give customers greater control over the information they share with businesses and organisations.

Strict penalties will also be introduced to businesses that breach the new legislation, with the maximum fine increasing from £500,000 to €20m or 4 per cent of global turnover for the most serious incidents. With AT&T Inc fined $25 million in 2015 for a customer data breach, it’s clear these incidents are being taken extremely seriously across the world.

For IT divisions, depending on the size of the business, there may also be a requirement to employ a Data Protection Officer to ensure the organisation achieves and maintains compliance with the new legislation.

Brexit: How will the GDPR impact the UK?

In these post-Brexit months, perhaps the most confusing area of the GDPR is how it will impact data protection in the UK. Although the integration of the GDPR into the UK is still being discussed, at the very least, UK businesses working with EU countries will need to abide by the legislation as it applies to the management of customer data flowing both in and out.

The seismic shockwave that has been reverberating around the UK ever since the referendum result in June continues to rumble on in a climate of uncertainty and apprehension around what the future really holds. Looking to the other side of the world, data flow and security remain thorny issues and the on-going debate between the EU and US on Safe Harbour legislation has become a lot trickier post-Brexit.

The inherent contradiction between national borders and data held on servers internationally means that negotiations to find a solution will continue to be slow and complex.

Customer data and the Cloud - The considerations

We are living in a changing world, but the fundamental factors businesses need to take into account when deciding where, and how, to store their customer data remain largely the same. Abiding by data protection legislation is clearly a non-negotiable consideration when deciding how to store their customer data. 

Beyond this, there are a number of factors which IT decision makers should consider to make sure they are managing sensitive information in the most flexible, convenient and safest way possible.

The storage requirements will vary depending on the size of the business and the nature of the customer data, but I believe the main factors to consider are as follows:

  • Flexibility – It’s crucial for businesses to have flexibility in cloud options and the ability to adapt solutions to comply with local laws. One option is modern SaaS companies which are able to employ different service providers in different countries to ensure that customer data resides where, and how, legislation allows. The cloud functions more efficiently when data loads can be shifted from one data centre to another. Without the free flow of data, response times go down and costs go up, which is not good for the customer experience.
  • Public or private? – Most cloud solutions are available only in proprietary, multi-tenant, shared infrastructure, single cloud configurations. There’s little or no opportunity for companies to decide where they want their applications and data to reside. Public? Private? Within your own country’s borders? On-premise? A hybrid combination? Often, the only choice is the vendor’s proprietary cloud.
  • Security – Regulatory requirements and enterprise integration strategies should be carefully considered before you get locked into a lengthy contract. Imagine investing in the best security tools, the most sophisticated authentication protocols, and still being at the mercy of the cloud vendor’s security mechanisms? There is a real risk of compromised reputation, lost business, and fines if you are not compliant and careful with customer data.
  • Integration – The days of proprietary, siloed data are over. Companies that do customer experience well must have all of their data sources integrated – it’s that simple.
  • Cost – An electronics multinational I worked with reviewed the public cloud CRM solutions available and found that moving large volumes of data across multiple public cloud vendors was just too costly. A cost-efficient solution which delivers a high quality service is what businesses should look for when choosing where to store customer data.

Looking ahead

Data protection laws are in a constant state of flux, and it’s crucial that businesses ensure their infrastructure (and employees) are set up to comply with the changes. Organisations should have the freedom to implement the systems and architectures that best address their needs for security, compliance and data integration.

It will be interesting to see how the GDPR will impact UK businesses, and I urge IT professionals to keep abreast of the latest news and developments to make sure they are fully prepared to make the required changes.

Larry Augustin, CEO, SugarCRM

Image source: Shutterstock/Wright Studio