Why the UK Data Bill should be a wake-up call for British business

If anyone was in any doubt about the future direction of data protection in the UK then the recent UK Data Bill should serve as a wake-up call – because there may be far more to come.  

The Bill contained no real surprises, after all much of it simply re-confirmed policies which have been discussed for a long time by politicians and officials working on the EU General Data Protection Regulation (EU GDPR).  

For those who have been ignoring what is happening in Europe, however, in the hope that it will simply go away after Brexit, it may have rung some alarm bells. 

Earlier this year a Crown Records Management Survey, which polled 408 IT decision makers in companies of between 100 and 1,000 employees, suggested almost a quarter of businesses had cancelled preparations for the EU GDPR – in a ‘wait and see’ policy.  

Now, however, it is indisputable that there is a definite trend towards ever-greater legal requirements over how data is stored and collected. It can no longer be ignored.  

The UK Data Bill hit the news in August, handing Britons increased rights over the use of their personal data. 

It will make it simpler for people to withdraw consent for their personal data to be used, allow them to ask for it to be deleted or updated – and also require firms to obtain explicit consent to process sensitive data in the first place.  

The bottom line is that in future businesses will need to know exactly what data they store, how to access it and how to edit it. And in addition they must be certain that proper consent has been given by the data subject.  

The Bill will come as no surprise to anyone who has followed the progress of the EU GDPR which is due to come into force in May 2018 and which contains highly similar language.  In fact, there has been a string of recent legislation all designed to tackle the issue of data protection and regulation.  

These include: 

  • Privacy & Electronic Communications Regulations (enforcement May 2016)  
  • Payment Services Directive 2 (enforcement Jan 2018)  
  • EU General Data Protection Regulation (enforcement May 2018)  
  • Network and Information Systems Directive – consultation period  
  • UK Data Protection Bill – in Queen’s speech and more details published in August 

Looking at that list it’s easy to see the ‘direction of travel’ in data protection in this country – and it’s something businesses need to take urgent account of. 

The truth is that companies now need to realise that there is a definite trend towards legislation which requires organisations to have greater and more detailed control over personal data.  

With increased legislation from the UK, EU and many other governments worldwide the direction is all one way – more protection and higher penalties for getting it wrong.    

Most senior staff in companies are well aware of the fiduciary duties around money and property but how long can it be before the highest standards of care are demanded of personal information too?  

What is interesting, too, is the public interest in this area.   

Data breaches have always been big news – a company’s global reputation has known to be at stake when breaches are announced, with stories making the front pages. But now there is intense interest not just in breaches but in individual rights over personal data and how it is kept safe – or otherwise.  

The media environment now, and perhaps deeper than that the growing expectation from data subjects that they should have intrinsic rights over their personal data, means data protection is a hot potato.  

It has created an environment in which shareholders are far more aware of data issues and more nervous than ever about how they may affect the business.  

It doesn’t take much to realise that shareholder interests are already being directly hampered by loss of data - we saw the TalkTalk share price fall dramatically after a breach and other high profile cases have produced similar results.   

So there is already a direct correlation, yet still “data” issues inside a business are often relegated to IT to deal with as an operational issue, ignoring strategic opportunities in a data-led age. Whole companies are built on data and whole industries affected – so the ostrich response of ignoring the obvious change is no longer good enough. It’s not one piece of legislation but a whole wave of them, and it’s not likely to stop. You can be pretty sure the UK Data Bill will be followed by others in future, strengthening individual rights over personal data and providing both challenge and opportunity for companies which collect or process data.  

That Crown Records Management survey of IT decision makers at companies across the country revealed a wide range of worrying results when it came to attitudes towards data protection.  

These included:   

  • 56 per cent have not yet undertaken an information audit, meaning they may not have a clear picture of data in the business.  
  • 24 per cent had cancelled their plans to prepare for the EU General Data Protection Regulation in light of Brexit.    
  • 44 per cent don’t regularly review what data is stored in the cloud or on premise.  
  • Only half are ‘very confident’ they have a full and accurate picture of all the information they hold in the business  
  • Only 45 per cent are ‘very confident’ their business currently complies with the requirement to obtain explicit consent to hold data for specific purposes.   

The key to improving data protection is strategic input at board level to change the whole culture of a business. But are businesses ready to do that?  

It’s clear from these results that not all businesses are taking data protection and information management seriously enough. The solution involves people, processes, culture and putting customer data first rather than just technology/  

Until boards stop thinking about managing data as an IT cost rather than an investment in their future, not much will change.  

What’s important now is for businesses to respect people’s data and put good data governance in place. Those who do so may also find rich rewards because customers increasingly value the safety of their data. It will also allow companies to worry a lot less about possible fines.

John Culkin, Director of Information Management Services, Crown Records Management 

Image Credit: Wright Studio / Shutterstock