- Are you ready for the changes coming to Data Protection Laws?
- Are you in breach of the Data Protection Act?
- Can your customers trust you with their data?
- How do you know which suppliers (including cloud providers) you can trust with your data and that of your clients?
- What would you do if you received a Data Protection enforcement notice – it is a criminal offence to ignore this and not respond.
The Privacy and Electronic Communications Regulations (PECR) sit alongside the Data Protection Act. They give people more privacy in relation to electronic communications.
There are specific rules on:
- marketing calls, emails, texts and faxes;
- cookies (and similar technologies);
- keeping communications services secure
- customer privacy as regards traffic and location data,
- itemised billing, line identification
- directory listings.
The impact of the new regulations will be different for every business but it is important that you understand and do your best to fulfil your obligations in order to avoid costly fines or enforcement notices.
Here are some of the initial areas we will discuss at this event.
Consent and control
How far do you give your customers genuine control over what information you keep about them and how you use it? If you’re relying on their consent, do they know that they are consenting and the implications of this? This is especially pertinent if they are children. Can they easily say no or withdraw their consent later on?
Do you have effective processes in place to ensure that you are data protection compliant? Can you explain what these are and demonstrate that they work in practice? Can individuals easily find our not just what information you hold about them and how you might use it but also more generally about your personal data handling practices?
It may not be clear yet whether you’ll be required to designate a Data Protection Officer but even so, do you have the right people in place to help you understand and meet the requirements of the Regulation? If not, do you at least have some idea where you might get the necessary expertise from? It’s a myth that the Regulation will require every business to recruit a Data Protection Officer, but they will need resources to help them deliver the necessary change, even if these resources come through training and developing existing staff.
Privacy by Design
What steps do you take to make sure that your systems and processes, particularly new ones, deliver data protection compliance as a matter of course? Are you reviewing the personal data you hold and why you hold it to ensure that you can meet the requirement for ‘data minimisation’? Do you know what a privacy impact assessment is?
Do you have a breach management process in place? Is it ready to be activated even if you’ve been fortunate enough not to suffer a significant personal data breach so far? Does your process include arrangements to notify affected individuals as well as the ICO? Most importantly, do you have effective technical and organisational security measures to prevent breaches in the first place? Are you sure that these are kept up to date?
We’ll be providing further updates on the progress of the reforms, and what this all means in practice.