The dawning of a new era in data security

In this cyber-led age that sees lives inextricably interlinked with technology and personal details given up at the click of a button, incoming data protection laws are good news for consumers.

But with far-reaching implications for companies big and small, the dawning of a new era in security has thrown some Bristol business owners into turmoil, with talk of hefty, six-figure fines, stricter rules and tough enforcement action.

While some may remain blissfully oblivious, the vast majority are all too aware of the new General Data Protection Regulations (GDPR) that come into play in the UK on May 25 2018.

And the time to act is now, say Bristol’s finest legal minds, who are luckily on hand to shed light on this tangled web of data security.

Claire Hall of VWV. Photo by Freia Turland

“One of the key changes under the GDPR is that organisations must be able to demonstrate how they are complying with the data protection principles,” says Claire Hall, associate at Bristol law firm, VWV.

“This will involve considering data protection to a greater degree than under the current law.

“At VWV, we are finding that people are becoming increasingly aware of their rights and expect organisations to treat their information properly.”

The new EU laws will replace the UK’s Data Protection Act of 1998 and, while many existing core principles remain, GDPR brings in new rules on how businesses gather and handle information as individual rights’ take centre stage.

And, no, their implementation won’t be affected by Brexit.

Key changes include new requirements on obtaining consent, the right to be forgotten, tough timelines on compliance, strict data breach notification rules and hefty fines of up to four times a company’s annual turnover.

Matthew Pope of Burroughs Day

Matthew Pope, employment solicitor at law firm Burroughs Day has set out some key steps to help businesses prepare for GDPR:

“Document what personal data you hold, why you hold it, where it came from, and who you share it with.

“Check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data.

“Review how you seek, record and manage consent and whether you need to make any changes. Refresh existing consents now if they don’t meet the GDPR standard.

“Identify the legal basis for your processing activity in the GDPR, document it and update your privacy notice to explain it.

“Make sure you have the right procedures in place to detect, report and investigate a personal data breach.

“Make sure that decision-makers in your business are aware that the law is changing and appreciate the impact this is likely to have.”

Charlie Wedin, a partner in international legal practise at Osborne Clarke and cyber security expert, also advises businesses to make regular crisis simulation and supply chain audits a part of everyday working habits.

“There will be a new focus on incident response, training and accountability,” he says.

“This means businesses may need to revise incident response plans and hold crisis simulations and other training, for example a GDPR ‘bootcamp.’ Cyber insurance will become increasingly important, as will the necessity of holding regular supply chain reviews and audits.”

Raymond O’Sullivan of Six Agency

This new era of data protection may be serving up some sleepless nights for certain company bosses, but digital director of Clifton-based creative agency, Six, Raymond O’Sullivan, sees it as a positive step.

“It’s a huge opportunity,” he said. “Large organisations can now declutter their customer data in a positive, honest and managed way. Brands have an opportunity to positively engage with their customers on their needs, without historic negative and commercial restraints.

“Our workforces need to be equipped for this conversation as well, especially on a day-to-day level.

“I feel traction is growing very fast now. Six are focused on an enhanced data knowledge and culture across our teams. GDPR, both in design and its technical regulations, will be a long-term default for us.”

·        Matthew Pope will be talking about GDPR at Burroughs Day’s HR Business Breakfast on Thursday, January 25 from 8am – 9.30am at their Queen Square office in Bristol. For more information call 0117 930 8458 or email: matthew.pope@burroughsday.com.

Main image: Charlie Wedin speaking at Venturefest 2017. Thanks to Jon Craig.

Read more: Bristol overtakes London to be named UK’s smartest city