GDPR: do you know what data protection breaches could cost you?

With the upcoming EU General Data Protection Regulation (GDPR) laws coming into force Europe-wide in 2018, it seems that many enterprises in the EU still do not understand these new laws and the far-reaching changes to data processing needed to comply with them.

While 2018 may seem like light-years away and GDPR looks like some distant inconvenience, there are two very distinct issues to bear in mind.

Firstly, there are current data privacy laws in place such as the UK Data Protection Act 1998 (DPA 1998) which is beginning to be enforced more rigorously now, as the authorities start to turn their attention to the introduction of GDPR.

Secondly, while DPA 1998 non-compliance can also lead to very heavy fines, many people are still unaware or the large financial impact these existing non-compliance penalties carry, let alone the reputational damage that will follow.

If this is the case now with DPA 1998, GDPR will have a massive impact on the unaware and non-compliant as the requirement for compliance will go way beyond where we are now, to affect nearly every department in a business, so the dangers of short-termism loom large.

And GDPR fines are heavy: up to €20,000,000, or 4% of the annual worldwide turnover of the preceding financial year in case of an enterprise, and whichever is greater.

The need to prepare now

The main issue is that because many people in the business community don’t fully understand data privacy and data protection law, many basic rules are often overlooked and that can mean trouble.

Sending personal data by email; exporting data to places like the US without the proper regulatory safeguards in place, and leaving hard copy client contact data lying around all constitute violations and can attract financial penalties. But what a lot of people don’t realise is where the responsibility for data security rests.

Data Controller v Data Processor

Where a company uses its own data for marketing purposes, as a client-side marketer, you are the data owner – legally a ‘Data Controller’ – of any data in possession of your company or your digital marketing agency.

And while your digital marketing agency is the ‘Data Processor’, and this sub-contractor is subject to some liability in the event of loss, theft, or data hack, it is you the Data Controller, who will be the primary entity in the event of a breach, and the entity receiving the fine.

Emerging risks

In this highly connected world, data is now front-and-centre of everything we do in the marketing business today. This means data is now a valuable commodity, and the issues around sending personal data by email or exporting data to places not covered by EU-recognised data protection laws is now only a small part of the equation.

Physical theft is a growing reality, and malicious data theft or destruction has been seen, so your understanding of your agency’s digital, physical and data control becomes critical to your own employers’ security.

Review your agency and stay safe

Understanding your digital marketing agency’s data security and control systems, how they are arranged, how they are implemented and how effective they are is critical. Here are typical areas you need to be aware of:

• access control: who is authorised to see your company’s personal data?
• disclosure control: who is authorised to transmit data?
• input control: who is trained (and how) on entering information?
• job control: who manages data and how are they trained to process it?
• availability control: how do they prevent destruction?

Understanding this is now vital to your corporate compliance. These are not only big questions, but have a complexity as people come and go in digital agency life, so the sands can be ever-shifting, making your control of the situation tricky.

Agency ISO certification and collaboration

I said at the beginning of this post that GDPR will affect practically all areas of your enterprise due to the prevalence of data in business. This means that today, you need to select the right kind of agency with the right kind of people, plus ISO 9001 and ISO 27001 certification, as this will offer you optimum security in two ways.

Firstly, with ISO 9001 and ISO 27001, you know you have the right kind of agency and, secondly, if that agency will collaborate with you, train all relevant personnel within your enterprise to optimise all departmental data security, then you have the right people, too.

But this is a two-way street: while finding an ISO 27001 certified digital agency will require commitment, getting them to commit to you to collaborate in this way will require longer-term involvement, so contractual commitment will also be a wise consideration.