Making it personal
The issue of personal data protection will become increasingly important with the introduction of the General Data Protection Regulation (GDPR) on 25th May 2018. Steve Martin and Paul Reeve explain what it means for our sector.
The new GDPR rules are set to have a major impact on businesses in our industry, in two significant and differing ways. Firstly, almost all businesses need to take note of the broader issue of protecting the data of individuals when developing their company systems and managing customer records.
At present, the Data Protection Act 1998 (DPA) places certain requirements on businesses, but the GDPR will go significantly further than the DPA. The GDPR will apply to the processing of any personal data within a company, and significantly, it will give individuals more influence over the information organisations hold on them, and how it is used.
Businesses will need to ensure that individuals can withdraw their data sharing consent easily, and significantly, also have the right to have their records deleted promptly. Individuals will also be entitled to ask for a copy of all data being held in relation to them, and an explanation of what it is used for.
Those businesses that hold the original data will also be accountable for how any third parties use personal data, and could face penalties due to non-compliance by these other organisations.
12 steps to take now
The Information Commissioners Office is advising all businesses to take the following steps to ensure that organisations are prepared for GDPR. More detailed advice is available from the second link below.
1. Awareness – decision-makers and key people in your business should be aware that the law is changing.
2. Information you hold – audit and document what personal data you hold, including its source and who you share it with.
3. Communicating privacy information – review your current privacy notices; plan any changes before the deadline.
4. Individuals’ rights – how will you delete personal data? How will you provide data electronically?
5. Subject access requests – plan how you handle requests for information within the new timescales.
6. Lawful basis for processing personal data – identify what the lawful basis for your processing activity is under the GDPR.
7. Consent – Review how you gain, record and manage consent.
8. Children – how do you verify individual’s’ ages?
9. Data breaches – check your procedures for detecting, reporting and investigating personal data breach.
10. Data protection by design and data protection impact assessments – how will you implement these requirements in your organisation?
11. Data protection officers – designate someone in your organisation to be responsible.
12. International – if you operate in more than one EU member state, you should determine your lead data protection supervisory authority.
Data protection within the built environment
Another key element for engineering services businesses is how data protection will interplay with the built environment, such as integrated technology and security systems installed within buildings.
As noted above, ‘personal data’ is covered by the DPA, and the incoming GDPR. Crucially, the ability to identify an individual depends partly on data held about the individual, and partly on other information gathered by the building infrastructure and sensors. This information held could well qualify as ‘personal data’.
To give an example, physical access control if installed in a building will transmit, receive, store, and even remotely monitor information. The data produced from this alone may not identify the occupants. However, if access fobs are assigned or tagged to employees, or even if video surveillance, biometrics or facial recognition are used, then stored information will become personal data, as individuals and their movements would become identifiable through those technologies.
Ensuring that intelligent installations can be protected against hacking could therefore be very significant to contractors and installers. If a system becomes compromised, then IT systems could be hacked and data stolen, destroyed or manipulated, thereby putting constructors and contractors at risk of being non-compliant with existing data protection laws and regulations.
Many engineering services businesses are already well placed to help clients with cyber security issues, ranging from device selection and maintenance, to systems integration. However, taking full advantage of this opportunity will mean extending existing skillsets.
If an organisation experiences a data breach, the GDPR requires this to be reported to stakeholders and the regulatory authorities within 72 hours of discovery. The Information Commissioners Office (ICO) can audit a business at any time from 25 May 2018, regardless of whether a breach has occurred. Non-compliance with the regulations could lead to significant fines of up to four per cent of total business revenue.
While there is some commercially-driven hype about what’s needed for even small business to comply with GDPR, the new regulation will apply to the bulk of small and large businesses in our sector, and there is no room for complacency. The clock is ticking down to May 2018 and new, practically useful personal data protection systems will need to be identified and set up.
With this in mind, now is the time for all businesses to consider what GDPR means for them, and to start creating what they need to ensure compliance.
Paul Reeve is ECA director of Business & Steve Martin is ECA director of Technical