Business leaders must get serious about data protection

Business leaders must get serious about data protection

Originally published at on September 30, 2017.

Many of my friends would never dream of posting daily updates on Facebook and LinkedIn. Yet for my son’s generation, a day is a long time not to put a new picture or comment on social media.

Everybody has the right to decide how much they disclose to the world. Until now, they have not had enough power to control how companies use their data. The UK’s Data Protection Act dates to 1998, which for today’s digital economy is a moment of pre-history. It was the year Google was founded, when only a fraction of British homes had an internet connection. Since then there has been an explosion in web use, and the creation and sharing of billions of pieces of data.

We were reminded once again this month how valuable data are, when Equifax disclosed a major cyber attack. At Cifas, the fraud prevention organisation that I chair, we see the price of bad data management every day. In the first six months of this year, there were 89,000 cases of identity fraud reported to us — a record number. The new Data Protection Bill that is due imminently will not automatically prevent these breaches, but will ensure the UK from next May complies with the European Union’s General Data Protection Regulation (GDPR). This will update the law, help public understanding and deter companies from neglecting data.


The 1998 Act established eight principles that govern how consumers’ personal data, such as their phone number and email address, are processed. This includes that they must have been obtained fairly, they are accurate and they are held securely. It gives consumers the right to discover what personal data an organisation holds on them. These rules were updated in 2003 to give added protections around unsolicited direct marketing. The biggest change under the new regulations is that consumers gain much more clarity about the “right to be forgotten”. This is the ability to ask Facebook, Amazon and others to delete all the data they carry on you. It is the last thing many daily Facebook users would want, because they regard the service as a record of their lives. This new law, however, applies to any company.

It is a right to ask, not an absolute right to delete everything. Still, the conditions are pretty broad. It applies when the data are no longer necessary in relation to the purpose for which they was originally collected. It applies when there is no legitimate interest for continuing to process the data, and it applies when consent is withdrawn.

These rules are bold but lawyers are still working through the detail. I suspect how much is ultimately erased will only be clarified in court. The hope is that consumers will take greater interest in who knows what about them. The £10 fee for information requests is being removed and every organisation must disclose what they know within a month.

Most of the headlines about GDPR have focused on the cost to businesses if they fail. Data breaches including cyber attacks where companies are found wanting could be punished with fines of up to £17m or 4pc of global turnover, whichever is higher. Under the existing regime, the maximum fine is £500,000. Many small businesses are only now becoming aware of the work they will have to do to prepare for the new rules. The biggest challenge for companies will be to demonstrate that users understand what they are signing up for. A simple tick in the box is no longer enough.

Data lie at the heart of many industries where the UK excels. Companies have used the information they have to innovate and tweak their offering. On the other hand, the massive expansion of personal data collection and storage by businesses has brought much greater scrutiny. Business leaders must accept this new reality and prepare now for GDPR.