The chances are that you’re aware of the General Data Protection Regulations (GDPR), which have been a topic of much debate in EU Parliament over the past five years. The GDPR replaces the Data Protection Directive 95/46/EC and has been constructed to harmonise data privacy laws across the EU, protecting the data privacy of every person within the EU and affecting the way businesses across Europe approach the storage and management of data. Illegal accessing of information is not new but it continues to grow, while consumer confidence in the security of data storage is diminishing. High profile cases of data losses, including the theft of 38 million account details from Adobe, the compromise of 20,000 Tesco bank accounts and the hacking of one billion Yahoo email accounts do nothing to reassure customers that their information is safe.
Data is power and businesses need to reassure customers and partners that their information is secured to the greatest possible degree. Under GDPR, more data will be treated as ‘personal data’, along with address details, financial details and contract agreements that fall under this umbrella. The GDPR acts as a replacement to the current Data Protection Act in the UK, but significantly raises the stakes in terms of compliance. It’s designed to protect sensitive personal data such as political views, medical details, passport or ID document scans. Organisations in the housing sector need to also consider additional data such as IP addresses and other online identifiers that will be classed as ‘personal data’.
Irrespective of Brexit, the GDPR will come into force on 25 May 2018, so with just over 12 months to prepare, are housing providers in a position to successfully manage the implications of GDPR? Let’s have a look at three of the key implications:
1. Financial Penalties
Historically, the Information Commissioner’s Office (ICO) has been constrained by the level of financial penalty it can impose on big brands if they suffer a data breach. In October 2016, the ICO fined TalkTalk £400,000 for failing to prevent a data breach that occurred the previous year. A reasonable sum to most, but to a business that filed EBITDA of £260m in its 2016 annual report it can be argued that it didn’t really make much of an impact.
However, with the GDPR the ICO has increased clout when it comes to penalties, with the maximum penalty equal to 4 per cent of annual turnover or €20 million, whichever is the greater.
2.Do your suppliers process data?
The housing sector has a number of partners and suppliers that manage data for other businesses and under GDPR they are now responsible for the way that data is securely managed. If any supplier to the housing sector systematically manages, processes or stores data on behalf of a partner/supplier then it is liable should a data breach occur.
Interestingly, should a data breach occur via a partner or supplier, this does not absolve the owning business from any blame. Its data security will also come under examination. So not only should organisations in the housing sector make sure that their houses are in order, collectively they should be asking their partners and suppliers what they are doing to prepare for the introduction of GDPR.
3.Notifying the ICO
A business will no longer be able to sit on a data breach while it deals with the problem and then grudgingly notify the authorities once it has it under control or enough time has passed to lessen the impact. The Yahoo email hack, which reportedly affected over one billion email accounts and could be the biggest data breach in history, was reported in 2016, but originally happened in 2014. This won’t be acceptable once GDPR is in place.
GDPR makes it clear that a notifiable breach has to be reported to the relevant supervisory authority within 72 hours of the organisation becoming aware of it. Failure to do so can also result in a penalty of up to €10 million or 2 per cent of global turnover. So honesty is the best policy.
What to do now?
Whatever you do, don’t do nothing! If you work in the housing sector and you don’t know how your organisation is preparing for GDPR then we strongly suggest you find out soon. Gap analysis of internal data security processes should already be underway and even better, new standards for managing, processing, storing and disposing of data should be being rolled out.
Ideally, by now, you should already have reviewed your policies and processes regarding the handling of personal data and should be looking to bolster your data security to avoid any potential breaches. And while there is a view among IT professionals that if a hacker wants to hack a business, then they will find a way, at least businesses shouldn’t leave the back door open for them.
Having robust data security, management, storage and disposal policies in place will help you become more secure. Equally as important is the training you give to employees because you need to make certain that they’re aware of the changes and that they’re aware of the financial penalties.
If you want to know more about GDPR and how it could impact your organisation, perhaps have a look at www.eugdpr.org and www.ico.org.uk/for-organisations/data-protection-reform.
Ian Smith is finance director and general manager at Invu Services.