Business Law & Compliance

Published

Data: How to avoid falling foul of the law

5 Mins

With new regulation on its way, Sam Jardine, partner at commercial law firm Watson Burton, urges business owners to be prepared before it’s too late and provides some top tips…

Big data is no small matter. 

After all, the aggregation of customer and prospect information means trends can be identified and the right products can be developed – products which could really make a difference to a business’s bottom line.

Yet whether it’s a case of ignorance or complacency, there are still many businesses across the UK who are not complying with data legislation. The top line is they are at risk of facing hefty fines (tens if not hundreds of thousands of pounds) and receive enforcement notices from the Information Commissioner’s Office (ICO). Over the last year there have been a wide range of cases who have been caught out including:

– £50,000 for a company making unsolicited marketing calls to people who had registered with the Telephone Preference Service (TPS)
– £200,000 for an organisation whose data was not held securely and hacked into – the hacker threatened to publish thousands of names of people who sought advice on abortion, pregnancy and contraception
– £175,000 for a company which had sent millions of spam text messages
– £45,000 for a company which made numerous unwanted marketing calls; and
– £125,000 for companies which generated over 2,700 complaints to the Telephone Preference Service through unwanted calls

For certain, the ICO’s appetite for enforcement has increased in recent years, and in 2015 the General Data Protection Regulation is likely to come into force, The new rules will only serve to underline the stricter view regulatory authorities are taking.

So how can you ensure that your business is compliant?

Ensure you are aware of your legal requirements

Make sure you are compliant with the Data Protection Act 1998, a regulatory framework that outlines how businesses can use personal data. This includes rules about notification (compulsory for data controllers) disclosing personal details to third parties, IT and physical security, use of third party processors outside Europe. 

The proposed regulation in 2015 will offer data subjects greater visibility of their personal data and how they wish it to be handled, including the “right to be forgotten’’ (recently highlighted in the Google Spain decision). This means they will have the right to request that their personal data be deleted from computer systems.

It will usher in a new regime on mandatory security breach reporting. Any breach of the regulation will result in fines of up to the greater of €1,000,000 or 2% of annual global turnover.

Ensure you are transparent

You need to provide clear, easy-to-access information about how data is being used. People like to feel that they have all the facts and that you’re a business that they can trust. 

As we have seen from Facebook, people do not necessarily object to sharing their personal data, but they need to understand what it is that you plan to do with it. Being open from the outset reduces any potential backlash later down the line. It is also a legal requirement.

Consider the expectations

Make sure that the data you collect can be used in accordance with the individual’s legitimate expectations. Companies have to draw a line between basic personal data and sensitive data such as medical history or criminal records, and make a clear distinction between the two. Sensitive data cannot be processed without an individual’s express consent.

Partner with a reliable IT expert

Much of the debate around big data lies with storage, security and back-up. Do join forces with a trusted IT specialist that can provide a certified data centre and can safely accommodate access controls for staff across different devices, locations and at different times. Insist on ISO/IEC 27001 compliance as a minimum.

It’s a balance

In many circumstances, collating customer data improves the overall experience, whether through offering targeted special offers to consumers, or using data to build a detailed medical history. Ensuring you get the balance right between privacy and personalisation is essential – few of us object to suggestions put forward on an e-commerce site, but none of us likes an intrusive email referring to data we believed to be private.

Share this story

UK’s best and worst business banks revealed in landmark survey
London is global capital of retail brands
Send this to a friend