All companies keep a lot of personal data, and this data retention is largely unstructured because of the various formats it comes in – paper records, Word documents, spreadsheets, databases, CRM, Outlook, Calendar etc.
The new data protection laws that will soon come into effect – the EU’s GDPR and the UK’s newly proposed Data Protection Bill (DPB) – will force all our businesses to be more structured in the way they capture, keep and delete this data. In order to stay within the rules and avoid sizeable fines, all our businesses will need to be clear and unambiguous about what we want to use personal data for, as well as how long we intend to hold on to it.
Fines and civil damages
The big risk to companies that hold on to data longer than required is both the fines the Information Commissioner’s Office could impose and the civil damages that people will be entitled to claim. We must therefore always be aware of the data we’re holding and purge it on a regular basis. Under the new laws, if you hold on to data for longer than the allotted timespan, or if data is lost, you will be breaking the law and could be subject to fines of up to £17m.
In addition to the fines, a new law under GDPR will give individuals the right to claim for material and non-material damages in the event of not just a data protection breach but also data that has been retained longer than necessary or for which there isn’t a “lawful basis” for holding the data. In the case of non-material damages, the claimant won’t even need to prove what the damage to them has been.
Under the new Data Protection Bill and GDPR, you will need to implement a robust, ongoing cycle of deletion, otherwise you may be breaking the law. But it will not be a simple process. For instance, there are legal requirements to hold on to certain HR or tax records for defined periods of time. If you hold on to them for longer, there has to be a good reason and you may have to get clear consent from the person concerned.
Some of the data could be hidden very deep. Just the mention of your name is classified as personal data, yet your name could have been mentioned thousands of times on company emails – is it going to be practical and possible to find and purge every single one of those references? Do we need to revisit email retention policies?
Over time, technology has developed and evolved different ways of capturing and storing data. Under the current Data Protection Act, the ICO acknowledges that it is impractical to remove some data from historical archives because it is a technical nightmare to extract data to the point of being impossible and allows exceptions provided the archives are placed “beyond reach”. But how rigorous will the new rules be in requiring us to find these instances?
We need to be prepared
There are only eight months to go before GDPR becomes law, and we need to take both GDPR and the new UK Data Protection Bill seriously. Honda and Flybe have already fallen foul of GDPR in trying to prepare themselves for the law changes – both companies have been fined by the ICO for breaking data protection rules with respect to marketing. In sending out emails trying to clarify marketing choices in preparation for GDPR, they seemed to be taking a fairly benign action, but because customers had not consented to receiving those emails, or on Honda’s case couldn’t prove they had consented, the ICO took a very firm view. And will continue to do so.
At Lumina Technologies, we are keen to ensure all companies are ready for the new data protection laws. Our MD Richard McBarnet will be holding regular Breakfast Briefings where he will explain what GDPR is and how it will affect your company. Attendance is free of charge and breakfast is included. The event is also CPD accredited, with 1 CPD hour. Click here for details and to sign up.