The protection of personal data has been enshrined in UK and EU for some time but, in 2016, the first major change in this area was passed into law and businesses have to be compliant with its terms by May 2018.
Now you might think Brexit makes this unnecessary but we are going to be part of the EU and subject to its regulations until 2019 at least and very possibly two years (or more) beyond that time. So you cannot afford to ignore this and hope it will just wither away. It is very likely that if and when we do leave the EU similar legislation will need to be enacted in the UK providing the same sort of regulation.
Data protection is also a significant aspect of user experience and should not be ignored in that context.
Cybercrime has become a major problem for British companies, and the world over, and it appears that SMEs are now more likely to be targeted than their larger, better protected counterparts in industry. Penalties can be high (up to 4% of annual turnover) and are likely to be enforced rigorously.
- Consent : consent now needs to be unambiguous and clearly sought and given in an intelligible and understandable manner. It also needs to be as easy to withdraw as to give. Businesses also need to keep records of how and when consent was sought and given.
- Transparency: the information held on people has to be transparent and able to be accessed individuals can ask for a copy of any data and the purposes and uses for which it is held.
- Erasure: a new right to be forgotten is enshrined in these regulations which means a subject can ask for erasure of all data held on them, cease dissemination and put a stop on processing by any third parties as well.
- Data breaches: these have to be informed to authorities within 72 hours of discovery with full details and a plan for mitigation of damage.
- Territorial scope: this was ambiguous in the previous regulations but has been clarified so that information held anywhere in the world (and not just in Europe) by European businesses is subject to the legislative procedures and requirements.
There is a considerable push behind data protection legislation and enforcement and not just from the EU so it as well that companies (and especially SMEs) are aware of the law and set up some systems for compliance. Ignorance or inability to do this is unlikely to be accepted as an excuse and it appears that the enforcement authorities are keen to pursue compliance as soon as the regulations become active ie. May next year (2018).
If you collect and keep customer data in any form and in any place (including the cloud) you urgently need to review how and why you do this and put in place robust procedures for gaining consent and providing access and removability in timely fashion.
For more complete information click here.
If you would like to discuss this topic or anything else related to data protection and user experience, why not give us a ring us on +44(0)800 024624 or email us at firstname.lastname@example.org.