With ever-evolving tech and more of our data going online by the day, it’s no secret that the law has struggled to keep up. There’ve been a tonne of developments in Data Protection laws recently, and although it sounds about as fun as a hole in the head, in the wake of the Safe Harbour ruling and with tougher EU privacy rules (in the form of the draft Data Protection Regulation) expected to come into force in early 2017, it’s more important than ever that you know what all of it means for your data, and your customers’, and prepare accordingly.
The new bill will affect everyone collecting or storing data online or in the cloud so burying your head in the sand is no longer an option. The grace period for due-diligence ends Jan 16th 2016, so by then you must know where your data is, the laws that govern it, what you need to do to secure it, and the very real price you will pay if you don’t.
If you’re a UKFast client you aren’t affected by any of the Safe Harbour ruckus, but if the company that you host with doesn’t keep their data on British soil you could be; and no matter who you are the expected DP changes will affect you, so here’s what you need to know.
What are data protection laws?
Data protection laws exist to strike a balance between your right as an individual to privacy and the ability of organisations to use data for the purposes of their business. The bill extends an obligation to ensure appropriate technical and organisational measures are taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data to anyone who stores other people’s personal data.
When the changes come in, the bill and the new data protection laws are really going to start to have some teeth. The finer points are still being debated but a few of the big things it’s expected to include are much higher fines for non-compliance based on a percentage of turnover and more prescriptive rules around fair processing of personal data; more accountability and far more fines and enforcement by the Information Commissioner.
What are your obligations?
In order to comply with the current Data Protection Act, a data controller (people who determine how data is processed) must comply with the following eight principles:
- The data should be processed fairly and lawfully and may not be processed unless the data controller can satisfy one of the conditions for processing set out in the Act.
- Data should be obtained only for specified and lawful purposes.
- Data should be adequate, relevant and not excessive.
- Data should be accurate and, where necessary, kept up to date.
- Data should not be kept longer than is necessary for the purposes for which it is processed.
- Data should be processed in accordance with the rights of the data subject under the Act.
- Appropriate technical and organisational measures should be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
- Data should not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
There are many more in-depth requirements of data controllers and when processing data which you should investigate further independently, because you’d be reading this blog forever if I listed them all here.
One of the points above worth highlighting though is that as well as knowing where your data is at all times, you need to ensure that you’re securing your data effectively with ‘appropriate measures’ against attackers and data loss. For many businesses this will mean outsourcing your security to an accredited third party that can deal with everything from firewalls to penetration testing.
What are the main risks if you don’t comply?
Financial – the most obvious and immediate issue is that you and your clients will probably lose money if you experience an attack. You’ll experience the joy of some hefty non-compliance fines, which are currently in the region of £500k, but the expectation is in future this will move to a percentage of your overall worldwide turnover.
Operational – the time it will take to get your business back on its feet and potentially moving your data. And lost time means lost revenue.
Reputation – potentially the worst in the long term, reputation is easy to lose and hard to get back.
What’s the bottom line for UKFast clients?
UKFast customers don’t have to worry about the concerns relating to Safe Harbour.
We keep all our customer data in our UK-based, IS27001 and PCI compliant UKFast data centres, so you can be assured more stringent UK laws govern the protection of your data.
Being IS27001 compliant and/or using UKFast who are ISO27001 compliant gives both customers and the Information Commissioner assurance that they have taken “appropriate technically and organisational measures” to protect data.
If that wasn’t enough, we also wholly-own our data centres and they are manned and operated 24x7x365 by UKFast security vetted staff!
What’s the bottom line for UKFast partners/non-UKFast clients?
UKFast partners will be data controllers if they are collecting personal data from their customers and either storing it on their own system or passing it to us and therefore they owe customers obligations with respect to that data.
In the future if the new bill comes into force businesses of a certain size will need to have a data privacy officer who has to be an expert in data protection law and make his or her name available to “data subjects” (people who can be identified from their data).
Partners are going to be prohibited from transferring personal data out of the EEA unless they can demonstrate data is adequately protected.
Ask yourself, is my data leaving the EU? Can I trace the chain custody ‘value’ of my data? Do I know who’s liable if we fall foul?? Is my data leaving the EU? If it is, what frameworks and protections are in place to ensure that it is adhering to the data protection rules when it’s in transit.
We urge you to go away and do some more research on the data protection minefield. Speak to your hosting provider and ensure that a) you know where your data is hosted and b) you’re covered under the laws and are prepared for the changes.
Obviously, whilst my ramblings have been informed by some great and clever people, I’m not a lawyer. This blog does not constitute legal advice, and we recommend taking specific independent legal advice.
For more information on the security solutions UKFast provides, including firewalls, vulnerability scans, penetration testing and more, take a look at our website.