With GDPR and the Data Protection Bill looming will data become a liability for businesses?
PUBLISHED: 08:40 09 August 2017 | UPDATED: 08:41 09 August 2017
Strong new rules to force companies to protect personal information and control the way it is used are set to be introduced in the UK.
The government has announced a Data Protection Bill which will formalise the European Union’s General Data Protection Regulation (GDPR) in UK law.
But what does this mean for businesses and the public?
Information ranging from email addresses to shopping habits is stored and used by businesses to build up profiles and better understand their customers.
And with improvement in data analysis tools, businesses can know more about us than ever.
Norwich-based tech firm Proxama is now focusing on data intelligence which will see it give feedback to companies on their advertising, while drivers insured with Aviva will already be aware of it using telematics to monitor how they drive and identify their risk level.
Recently iRobot, makers of robot vacuum cleaner Roomba, revealed its devices had been mapping homes and was planning to sell the data, with permission, to smart home firms.
That data is valuable to such firms – but could be even more valuable to those who want to use it improperly.
As more data about us is collected, the risk of it being used for nefarious purposes increases, hence the government deciding to update the law in line with changing technology and the EU.
Firms can be fined up to £17m or 4% of global turnover, whichever is higher, for not handling and protecting data correctly.
They will also have to prove they gathered explicit consent to take people’s information – and lawyers warn that firms unable to do so could find the data they thought was so valuable has in fact become a liability.
And some businesses have taken extreme measures – JD Wetherspoon deliberately deleted its entire email list earlier this year. The pub chain suffered a serious breach in 2015 and the move was seen by experts as one to prevent falling foul of the new rules.
It will also be a criminal offence to intentionally or accidentally create situations where someone can be identified from anonymised data. The Data Protection Bill has added the right to be forgotten by social media as well as the right for decisions about you not to be made by artificial intelligence.
Technology company Axon Vibe is aiming to make people’s lives easier by using their information to predict decisions they might make.
The company’s platform, which is used in Swiss train app SBB, takes location data, customer habits and travel information to allow it to give relevant and personalised updates to a traveller.
Chief technology officer John Fagan, based in the company’s Norwich office, said he expected the technology to be used in other sectors such as retail in the future but said it was vital for businesses to be honest about the data they collected.
He said: “The key thing is to build up trust with people so they are willing to share their data.
“We need their consent to access data constantly, for example their location, to make our system more intelligent. We make it clear what we are doing and what we are doing with it. We present it back to users in an interesting way so they can learn something from it too.”
Consent and the law
The General Data Protection Regulation and Data Protection Bill should spell an end to companies tricking customers into giving away data against their will.
Leathes Prior solicitor Alex Saunders said that the effectiveness of the changes would depend upon how they were enforced.
“There is much more of a focus on what evidence a company can produce when investigated to show it was compliant with the law,” he said. “How a business acquires consent, and if that consent can be taken back as easily as it was given, are key changes.
“Consent will no longer be able to be obtained though a pre-ticked box or inactivity.”
Mr Saunders added: “For many modern businesses, data is one of their most valuable assets and can be utilised to add value to its operation.
“Businesses will have to assess if the data they hold adds high enough value to overcome the risk of punishment.”
With huge fines looming, the safety of data and where it is stored has become increasingly important.
Data centre company Migsolv, based at Bowthorpe, said small businesses would have to be particularly careful about how information collected before GDPR and the Data Protection Bill comes into effect is stored and kept safe, especially if it is saved in multiple locations.
Managing director David Manning said: “One certainty is that it is putting greater demands on even the smallest businesses to protect their data and know exactly where it is stored. Cloud storage is convenient but it can sometimes be hard to know where data is located and if it’s been duplicated. Responsibility lies with businesses themselves, so they need to be sure. JD Wetherspoon has taken a bold step. Data is often backed up in multiple locations, so it can be hard to ensure all copies are erased. It’s often more effective to over-write data, rather than simply delete it.”
A balancing act
Data can be used to make our lives easier but it can also build a profile of us which we might not want some people to see.
Esperanza Suarez, data protection officer at Axon Vibe, said: “As technology becomes more and more complex there are a few double-edged swords – things which are really useful to us as consumers but are also a little bit scary.
“Companies can analyse a consumer’s behaviour and know so much about them that they can predict what they are going to need to buy and when.
“It can be useful because they might be shown relevant adverts or given offers – but it can also look into our private lives.”
Ms Suarez pointed to companies like Facebook, which revealed in 2014 it had been carrying out experiments on its users to manipulate their emotions, as an example of the power of data. “It is a balancing act,” she said.