Conflicting priorities are a reality of running a business – picking the true priorities from among all the others is often what separates the top performers from the rest. Despite my own deep interest in the subject, even I can concede that data protection probably isn’t always the first thing on the agenda when boards of Scottish companies get together. It’s understandable. For most businesses, the subject is likely to feel like a distant relative next to things like cashflow and new business strategies.
But the law is changing, and the changes bring the issue into much sharper focus. In May 2018, new privacy laws will come into force in the UK, implementing EU legislation which makes it much harder for companies to contact individuals or use their data for marketing purposes. The new General Data Protection Regulations (GDPR) will replace the current regime, governed by the Data Protection Act 1998.
Before these changes, the limitations applied only to those in control of customer data. From May 2018, it’ll be any organisation which handles data on behalf of someone else – from marketing companies to IT consultancies..
Under the new GDPR, penalties for breaching the laws will be increased. This could equate to four per cent of global turnover or 20 million euros, with a tiered fines system being implemented. That’s before you consider the reputational and customer impact of the Information Commissioner making a very public example of you.
The new legislation has greater territorial scope and any organisation that processes data of an EU citizen is likely to be affected. Data protection is an issue with far-reaching consequences, the repercussions of non-compliance could have huge implications for a business. Skating over data protection as a mere box ticking exercise (if even that takes place) won’t be enough. Organisations will have to examine compliance procedures, review adherence to these and assess instances where they have been breached (or where there’s been a bit of sharp practice).
There’s no getting away from it – companies which have to get these procedures in place will feel the extra burden, but that won’t be an excuse for not doing it.
Similarly, for anyone who was hoping June’s vote to leave the EU might derail the whole thing, it’s best not to get your hopes up. The outcome of Brexit remains uncertain. Initially at least, UK businesses will need to comply with the GDPR once it comes into force. In the long term, it is inevitable that the UK will need something that aligns with the GDPR. The rest of Europe will be adhering to these laws; they simply won’t do business with anyone who doesn’t.
The businesses I’m working with are, by and large, very switched on to the changes they’ll need to make between now and April 2018. Aside from the legislative imperative, there’s an expectation from consumers that any organisation which holds their data will behave honourably with it. It’s the difference between the letter of the law and the spirit of the law – what’s legally required and what’s expected in reality. The two are actually closely aligned. Consumers now feel empowered to shine a light on bad behaviour from businesses which don’t respect their personal data.
Combine customer ire with the threat of regulatory sanction and a hefty penalty, and that should be reason enough to focus the mind. The skill of managing conflicting priorities will be more important than ever – because at some point, data protection is going to be priority number one.
• Helena Brown is head of data protection at law firm HBJ Gateley.