A data protection failing can threaten everything from a person’s bank account to their life. At the very least, it may cause damage and distress.
The private information of individuals is as valuable as currency itself, which is why the cybercrime industry was worth $450 billion in 2016.
Yes, you’re busy. You’ve got other things to think about besides data protection and legal compliance, but if you’re running a business in the 21st century this is what you’ve got to deal with.
Banks, credit card companies, pension providers, social media companies and any other business, public authority or organisation should be taking steps to protect the data of individuals.
Examples of Data Protection Failings
Here are just a few stories from the media serving as examples of the issues we face where the accessing of personal data is concerned, whether it is accessed illegally or withheld from those to whom it belongs:
- The Panama Papers data leak might have seemed like a victory for those opposed to the tax-avoiding cash management schemes of the mega-wealthy, but suppose those personal details had belonged to vulnerable members of society, like orphans, whistleblowers or witnesses of serious crime?
- And then this happened: Details of at risk children under court protection accidentally sent to Leicester taxi firms.
- The Windrush scandal saw legal British residents denied access to their own personal data.
- Facebook. Cambridge Analytica. Enough said.
- Sheffield Credit Union tried to downplay a serious case of hacking for public relations reasons.
The UK’s Data Authority: The Information Commissioner’s Office
The Information Commissioner’s Office (ICO) is the UK’s data protection authority, functioning as a public body, reporting to parliament and funded by the Department for Digital, Culture, Media and Sport.
They uphold the rights of individuals who want to keep control of their personal information.
The ICO’s work includes (in the most serious circumstances) financially penalising wrongdoers with fines reflecting the risks associated with the failings of the organisation.
Examples of Fines Handed Out
Here are a few examples of fines handed out in severe situations, unsurprisingly, to larger organisations and businesses:
- In 2014 a British abortion charity was fined by the ICO after a hacker accessed the BPAS website (which stored details of pregnant women seeking advice on termination) and threatened to leak the information online.
- The Carphone Warehouse was fined £400,000 by the ICO for failing to maintain their WordPress website software, resulting in a security vulnerability and unauthorised access to customer and employee data.
- Crown Prosecution Service fined £325,000 after losing victim interview videos
GDPR: An Update to Data Protection Law
The 25th May 2018 saw a European-wide legislative update to the Data Protection Act 1998 become enforceable. It’s called the General Data Protection Act, and is overseen by the ICO.
Regardless of Brexit, this law applies to the UK.
In fact, the law applies to any business, charity or organisation anywhere in the world if they want to collect and process information about individuals in the European Economic Area.
The Data Protection Act of 1998 was based on the Data Protection Directive 1995 and is sorely in need of an overhaul given the changes in technology and commerce ever since.
It’s strange to think that most of us carry a tiny computer (your smartphone!) which process vast amounts of personal data, and yet still, many are unconvinced that data protection is a worthwhile pursuit.
Here’s the current information commissioner, Elizabeth Denham, making an address in April 2018:
“Data” is the New “Oil”
If you’ve been following the news lately, you’ll know the ICO have been investigating Facebook and their involvement with Cambridge Analytica.
Cambridge Analytica, the data-mining company, was paid millions to manipulate and seduce voters with non-factual information using highly targetted Facebook advertising campaigns.
On hidden camera, they inadvertently revealed their role as purveyors of fake news, abusers of Facebook data and as self-confessed agents of entrapment and political smear.
Those who took the quiz exposed everyone in their Facebook friends network to the data harvesting agenda of the app.
The story came to the world’s attention after a Channel 4 news TV report exposed the dealings of CA with undercover footage from their sting. It was the culmination of a year’s worth of investigation and research by Guardian journalists.
What Small Businesses Must Do
To bring this back down to earth, let me remind you that if you’ve been respectful, conscientious and transparent with the personal data of individuals up till now, you’ve got far less to worry about than the big companies we’ve seen exposed in the media for their various gaffes.
Familiarise yourself with your obligations, such as registering with the ICO (you may or may not have to) and creating an easy to understand privacy notice explaining what you do with a person’s information.
What information do you collect about people in order to run your business? How do you collect it and why?
If you take a look at my privacy notice you’ll see it is informal(ish) and uses easy to understand language. I’m still working on it and see it as a long-term project.
Summary: Don’t Just Comply with Privacy Laws – Understand Them
Data protection in the EU is considered a fundamental human right whereas in America, it is thought of as a feature.
It’s rare to see an American organisation voluntarily take personal data protection seriously because they think it makes them less competitive and therefore less profitable.
Don’t conflate EU data laws as a slight on British sovereignty, though.
Continental Europe knows all too well what happens, for example, when an entire race of people without adequate protection is targetted for extermination.
Yep. The Nazis located, arrested and murdered many Jews on the basis of their birth records. Personal data.
To emphasise the point about data snooping, it sounds like president Donald Trump has a list of who the USA considers “undesirable” owing to the fact that an innocent family were pulled out of an airport queue and questioned.
Their data had been obtained and was being used against them.
None of us can predict the future but history has taught us to expect power to corrupt and personal data to leak, be stolen and misused.
As a small business, let your customers know you’re diligent, trustworthy and principled.