And now for the bit you’ve all been waiting for…data protection regulations. Not particularly interesting though it’s certainly important, that is if you value the 4% of your turnover that could vanish in a fine for non-compliance.
The new legislation in question is an update to the current Data Protection Act – enhanced, refocused, with extra sharp teeth and wearing special pants. You name it, the General Data Protection Regulations has it all. The GDPR, along with its enforcement bells and whistles, comes into force next month – 25 May 2018. Despite it being an EU animal it is impervious to Brexit so whatever, if anything, the UK and EU agree on that front it will remain in force.
First the gory part. As mentioned, businesses can theoretically be heavily fined if they infringe the regulations. The bottom line is that the GDPR is aimed at protecting individuals’ data. The regulations affect every organisation, not just finance houses, direct marketing companies or your annoying neighbour who keeps sending you unwanted emails asking when you intend to trim your hedge.
Housing associations, housebuilders, local authorities, independent surveyors, consultants, they are all under the spotlight on this one, albeit the Information Commissioner’s Office, the relevant authority, is likely to understand the bigger the organisation, the more resources will be available to throw at the problem. They have stressed they want compliance rather than an income from fines.
It is about how organisations store, process and use people’s data. It applies to any data an organisation holds about people whoever they are: customers, business contacts, suppliers and so on. It applies to what that data is used for. It applies to how it is stored (encryption, password protection etc), whether it is sent on to third parties and so on. For instance, marketing departments have to gain the consent of people on their mailing lists to message them. If a housebuilder wants to email potential private homebuyers on a newsletter, for example, consent should be explicit and informed such as ticking a box online or on paper because they are individuals being emailed in a private capacity. Failure to opt out does not mean they have opted in. However, if a local authority wants to email a newsletter to a list of developers, the recipients can be said to have a ‘legitimate interest’ in receiving the message, as it is business-related and consent is effectively assumed.
When it comes down to it, the GDPR is ultimately a test of business ethics and efficiency, the aim is to make data protection much more of a central theme than it could be for some organisations. So it is of little surprise there is a bewildering amount of information and variously informed comment available online. The ICO has done a huge amount of work to help explain how organisations can get up to speed and whether they will, or will not be affected. See ico.org.uk for the authoritative view.