Data protection is very much a buzz word in the business world at the moment. There have been lots of headlines relating to the data security breaches by TalkTalk and Yahoo among others, and an upcoming change in the law promises to make the regime even stricter.
Understandably many businesses are not quite sure what data protection compliance involves nor why it is important to take it seriously when considering the vast amounts of rules and regulations that businesses in the parks sector have to deal with.
We have been advising many clients recently on the upcoming changes to the data protection regime across Europe and businesses in the parks sector should be particularly wary of these changes due to the large amounts of data they hold on customers and residents.
The law will shortly be changing from the current law under the Data Protection Act 1998 to a much stricter European General Data Protection Regulation 2016. Under the new law the maximum fine for breaches will increase from £500,000 to €20 million or 4% of worldwide turnover, whichever is higher. The new law comes into force on 25 May 2018 and the long lead-in period now is designed to give businesses time to comply. Although the regulation is European, it will apply directly into English law and so all English businesses will need to comply. The UK government have confirmed that they will be implementing the regulation in full despite the recent Brexit vote. Most businesses should start preparing now as there are lots of changes.
The most important reason to comply with data protection regulations is so that you can show your customers and residents that you take protection of their information seriously. This will help to set you apart in the marketplace, as so many businesses get it wrong. Consumers are increasingly choosing to interact with businesses with up-to-date websites and privacy notices (which are types of wording on forms the customer fills in) that tell them exactly how their information will be used and protected.
Additionally, businesses can be subject to negative publicity and large fines for breaching the law.
The following points will help to demystify the current law and give you a few tips to put into practice straight away to get ready for the new law:
- data protection law aims to protect people’s personal information from unfair and unlawful use
- this use includes collection, storage and any transfer of data to another company without permission
- it also applies where businesses outsource any of their services, which in the parks sector particularly includes information submitted by customers on the park website, information submitted on a website through a third party host, online booking services and online travel agencies
- you should start to look at where your customer/residents data and employee data is held e.g. cloud storage, on a spreadsheet on a computer, in hardcopy form in a filing cabinet, and think about the security of that storage
- you should consider what personal data you ask for and keep and if it is necessary to hold that data. Ideally you will have a deletion and archiving policy
- you should make sure you tell customers and residents what you do with their data and get their consent to anything that they would not expect, such as marketing or passing their data to a third party