By John Culkin, Director of Information Management, Crown Records Management
Microsoft and Google are already taking ‘right to be forgotten’ requests as the data world prepares to modernise; but how ready is UK business for what lies ahead?
The decision by the internet and technology giants places them ahead of the game as we wait for the EU General Data Protection Regulation that promises to take data ‘out of the digital Stone Age’. Their recent meetings with data protection groups - to fight any requirement for links be deleted in the United States as well as in Europe - indicates they are looking ahead, too.
But the forthcoming Regulation is not only aimed at the internet, and not only at corporate heavyweights. All sectors and all companies should be watching very closely.
Google and Microsoft’s early actions come on the back of a recent court case in which Google was ordered by the European Court of Justice to remove outdated information about a Spanish man’s repossessed home from future searches. But this is only the thin end of the wedge.
The verdict indicated an increased desire across Europe for citizens to have greater control over data held about them in future. Now ministers across Europe are fine-tuning a new Regulation, based around the same principles, which is likely to be approved in 2015 and in place by 2017. It will have major implications for all sectors on the way data is collected, stored and accessed.
The legislation, replacing the current Data Protection Act in the UK which has been in place since 1998 – aims to provide a Europe-wide regulation for data controllers and processors. It will provide a one-stop shop to deal with a single Data Protection Authority in each country, new European Data Seals to aid compliancy, and a requirement for companies with more than 250 employees to employ a Data Protection Officer.
Ironically, the expression ‘right to be forgotten’ may not necessarily be included in the final draft – it is likely to be re-phrased as a ‘right to erasure’. But nevertheless the impact on businesses could be considerable.
In future, data held will need to be accessible, searchable and editable – a major challenge for some, especially for sectors such as banking, retail and the public sector which store huge amounts of information. It is worth pointing out, too, that the Regulation does not only apply to data stored digitally but also on paper – a completely different challenge.
Additionally there will be greater rights for customers to ask to obtain their personal data in a portable format. And the gathering of data in the first place will require explicit consent from a data subject, which could require some major changes to systems.
It is clear that big changes lie ahead and my advice is that preparing early is the key. Not least because the EU Data Protection Regulation is expected to include severe penalties for companies that negligently breach regulations – up to 5 per cent of global turnover or 100m Euros if greater.
The big question is: Are you ready to leave the digital Stone Age behind?
It seems not many people can answer ‘yes’ right now. But there are commercial benefits to tackling the challenge early. The desire from European citizens to have greater control over data is clearly growing - and companies that follow Microsoft’s lead and put procedures in place now can gain an advantage over competitors.
Below are five key areas in which companies can prepare for all eventualities by adopting basic principles of data collection, storage and destruction. These are measures that will not only place businesses in good stead when the new EU Data Protection Regulation finally becomes enshrined in law - but will also have a positive impact on operational health.
1. Spring-clean your data: understand its value
Start with an audit to distinguish how much data currently stored actually needs to be kept. Is it ‘records’ or in fact junk or data noise? Destroying unnecessary information can help create a clearer picture for the future. For data that needs to be kept, make sure you know where it is stored, who uses it, how to access it and how to protect it. The key to good data practice is in understanding its value in the first place; so treat data like an asset.
2. Know who is responsible: assign ownership
With fines for non-compliance so high it is vitally important that someone takes ownership and responsibility for staying up to date with new regulations. Make it clear which role in has responsibility for each type of data.
3. Develop processes now to deal with data breaches: be prepared
It will soon become compulsory to have a system in place for dealing with data breaches, including processes for notifying anyone affected by a breach. So why wait? Clear and well-practised procedures should be put in place now – not least to identify who is responsible for reporting.
4. Understand whose data it is: seek consent and open communication channels
In future explicit consent will be required from people to gather their personal data; so get those processes in place early. Any organisation that stores personal data should consider what the legitimate grounds for its retention are and how it will communicate this to customers.
5. Design-in privacy: change your culture
Start to create a culture where privacy is considered in every process and at every level. Designing-in privacy - and making staff aware of its importance - is the key to good data practice as data protection evolves.
The bottom line is the age of data is changing fast, for better or for worse and whether we like it or not. So regardless of what ministers in Europe decide over the coming months - and however the final EU Data Protection Regulation takes shape