UK Boards and Data Protection – The Challenge of 2018 and Beyond

As the amount of personal data being collected grows exponentially, so does the importance of how it is managed, processed and protected. For UK companies, data has become one of the biggest commercial opportunities and also one of the most serious threats, as penalties for mishandling it become more severe. It’s not surprising, therefore, that UK boards report data protection and complying with new legislation as a top priority for 2018. We take a look at how data is protected in the UK and what boards should know about the future…

Analyst company IDC predicts that the global datasphere will equate to 163 trillion gigabytes by 2025 – a tenfold increase on 2016 figures. This explosion will be fuelled by the proliferation of the Internet of Things (IoT), with devices from smart cars and appliances to CCTV networks and retailers reporting user activities and status 24/7. IDC calculates that, in 2025, an individual will interact with an internet-connected device up to 4,800 times per day. This data is so incredibly valuable to companies who use it to develop, refine and market their products and services that it has been described – by The Economist among others –as “the new oil.” All of this personal and potentially private information is entrusted to the collecting organisations by customers, service users and citizens; ensuring that they use and protect it responsibly is the domain of data protection legislation.

The Present – The Data Protection Act

In the UK, companies must currently comply with the Data Protection Act (1998) (DPA). This legislation was enacted to satisfy the requirements of the European Directive on Data Protection 95/46/EC1 and effectively enshrines the directive into UK law. It covers the rights of individuals in relation to the data that is collected about them by organisations in both the public and private sectors.

Enforcement of the Data Protection Act is the responsibility of the Information Commissioner’s Office, which issues penalties resulting from its investigations into breaches of the code. In recent years, the number of fines and the amounts of those fines has increased dramatically – from two fines of £160,000 in total in 2010, to 44 fines of a total £3.1 million in 2017. The highest-profile breach that has been punished by the ICO was that suffered by communications company TalkTalk, which saw 157,000 customer records accessed by hackers exploiting a vulnerability in the company’s website. A record £400,000 fine was issued – although still short of the £500,000 maximum fine. At a House of Commons Select Committee hearing into the incident, TalkTalk CEO Dido Harding confirmed data protection and cybersecurity as a board issue that shouldn’t be delegated to a technical department.

The Future – GDPR and the UK Data Protection Bill

When we consider all the technological and lifestyle advances that have taken place since 1998, it’s not surprising that a Directive that was issued before the invention of the smartphone is now outdated and not fit for the purpose. With the explosion in data collection has come the biggest revolution in individual data rights for a generation, the General Data Protection Regulation (GDPR), which will come into force in May 2018. This legislation will be immediately applicable to all EU member states including the UK.

The guiding principle of the GDPR is that of giving control of personal data back to the individual. Failing to comply with GDPR carries the risk of financial penalties far in excess of those of the DPA. Organisations face handing over the greater amount of up to €20million or 4% of turnover, plus they will suffer significant reputational damage and, in the case of individuals implicated in deliberate breaches, imprisonment. This is a sure-fire indication of the scaling up of importance of the rights of the individual to privacy and security.  Even if the scale of penalties wasn’t enough to make data protection a board-level issue, the fact that UK Information Commissioner Elizabeth Denham suggested that company directors could be held personally accountable for data breaches adds a strong human, as well as financial, dimension to the situation.

Learn eight ways board directors should be preparing for GDPR right now with this free white paper download.

The Brexit Factor

The UK is scheduled to exit the European Union on Friday, 29 March 2019, seven months after the GDPR comes into effect. This means that UK businesses will have to comply with the GDPR during the interim. They will also need to comply with the Data Protection Bill, which will become law in 2018 and is designed to replace the Data Protection Act. This bill will ensure that the GDPR is brought into UK law and will endure post-Brexit. It also responds to the Government’s commitment to make the UK “the best and safest place to do business online” and to make legislation fit for the digital age. With this Bill, the Government is aiming to achieve adequacy with EU legislation post-Brexit so that data and trading can continue to flow seamlessly on Friday, 29 March 2019.

Board Preparation

There are some key elements that UK boards need to incorporate into oversight to ensure that their organisation is not just on the road to compliance with the GDPR and Data Protection Bill, but can show evidence to prove it:

Establish a board-level reporting structure for data protection:
Consider the level of data protection expertise in the makeup of the board and whether any lack of knowledge is a weakness to be addressed. If the organisation is one of the many that will need to appoint a data protection officer (DPO), that officer should have a direct reporting line to the board to raise matters of compliance.

Data audit: The board should be satisfied that the organisation knows exactly what data it collects and the consent gained at the point of collection; how that data is classified and processed; and whether it is processed by any third parties, including service providers such as cloud companies.

Cybersecurity: Data protection and cybersecurity go hand in hand. Directors need to understand the protections that their organisation has in place to detect attacks and enable compliance with the 72-hour time limit for notification of a breach. Boards should also ensure that their own internal communications are securely managed to prevent loss of critical information.

Right to be forgotten: A new provision under GDPR and the Data Protection Bill is the right for data subjects to request that all of their data is erased by the controlling and processing organisations. Boards should understand the facilities that their company has in place to meet this requirement and report on its application.

Crisis response plan: Cyberattacks resulting in data breaches are an unfortunate fact of life. Boards should ensure that they have a plan in place to respond to the operational, legal and reputational impacts of a data breach.

Boards set the tone of an organisation’s approach to data protection. A strong board posture on respecting customer rights to data privacy creates a culture of data protection and can become a competitive edge. As Chief Scientist and Fellow at McAfee, Raj Samani, summed it up: “It’s critical that businesses do everything they can to protect one of the world’s most valuable assets: data. The good news is that businesses are finding that stricter data protection regulations benefit both consumers and their bottom line.”

Board Portal Buyer’s Guide

With the right Board Portal software, a board can improve corporate governance and efficiency while collaborating in a secure environment. With lots of board portal vendors to choose from, the whitepaper contains the most important questions to ask during your search, divided into five essential categories.

Featured Blog