Accessability Links

Why is data protection critical for all businesses

Adrian Godding
Businesses across all sectors collect and store data digitally, from the smallest shop to multi-national corporations. This can be financial records, customer contact details, payment details, CCTV footage or a staff list. In the UK, data protection is a legal requirement.

So why is data protection governed by law? Well, primarily because of the value of the data itself. The Facebook/Cambridge Analytica affair suggested that personal data could be extremely useful to political influencers and potentially even change the political landscape. Meanwhile, identity theft continues to be a huge issue. What’s very concerning is that fraudsters are able to use personal data – particularly bank or payment details – for their own financial gain. Companies tend to store staff and customer information, often including sensitive financial or health facts, which could allow criminals to steal from or blackmail those whose data has been misused. 

The UK Data Protection Act ensures that every organisation must only use data in relevant and specifically stated ways. More importantly, the data must be stored securely and kept no longer than necessary for the registered purpose.

Small business owners and data protection officers in larger organisations have a duty to ensure that the information they hold about staff or customers is correct (by confirming this with the subject themselves), and that it is not vulnerable to hacking. Failure to comply with the Data Protection Act can include prosecution as well as huge fines.

With the advent of GDPR, these fines have just increased even further. In the event of a data breach, regulators may penalise organisations to the tune of four per cent of their annual global turnover, or €20m, whichever is the greater. But financial penalties aren’t the only reason businesses should look after their data: reputation and confidence from investors and customers will be compromised, potentially with terminal consequences. 

If data is properly encrypted and personal information cannot be obtained from it, it’s not actually necessary to report a breach to the regulator. Nevertheless, this is a potentially poor decision as an organisation may later be compelled to inform the regulator and justify why the initial decision not to report was taken. If a serious breach occurs, businesses not only have to inform the regulator of the volume and type of data that has been leaked, but also of the likely consequences of the issue. It’s also important to contact those whose data has been compromised, explaining the steps you plan to take to deal with the breach.

Read our related blog: GDPR: what is a data protection officer?
Add new comment

Meet the team

Back to Top