While the problems of the NSA or a multimillion-pound bookmaker may not seem relevant to the average print firm, new laws, due to be passed by the European Parliament next year, are intended to reduce the incidence of data breaches and ensure that every business understands the importance of data protection.
Public awareness of data protection requirements is rising all the time, with the head of enforcement at the Information Commissioner’s Office recently stating that ignorance from data controllers – that is, anyone with access to personal data – is no excuse.
So with corporate disasters of this scale making the news every other week and far-reaching new laws imminent, every business needs to be aware of their obligations.
Threats
“Being penalised for data breaches has not quite got to the top of companies’ lists of fears yet, says Robert Bond, data protection partner at law firm Speechlys. “People still think ‘it will never be us, it’ll be them’. Of course, it then ends up being you.”
“When you look at who gets named and shamed, it’s generally big firms or NHS Trusts or local authorities, not SMEs,” he adds. “But in the past two months we have seen a shift in more criminal enforcement actions against businesses.”
Emily Carter, data protection partner at law firm Kingsley Napley, agrees that small print businesses should not consider themselves immune to insider breaches or threats from outside their organisation.
“The most significant area of concern for any business when dealing with data protection issues is breach of the seventh principle of the Data Protection Act 1998,” she says. “That is ‘Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data’.”
The figures support her assertion. In 2013, the vast majority (87%) of small businesses suffered a breach in data security, up from 76% in 2012 (PWC for BIS).
PWC also found that 63% of small businesses were attacked by outsiders in 2013, up from 41% in 2012, and 15% of the same sample of small companies detected that outsiders had successfully penetrated their network, up from 7%.
However, threats to data do not only exist in the form of hackers. Most data breaches stem from human error. That can be a hastily sent email, addressed to the wrong person because of an auto-fill error, or leaving a laptop or briefcase containing information on your train home.
What data is protected?
“Anything that is personal information is protected under the Data Protection Act,” says BPIF head of legal Anne Copley. “Even somebody’s name.”
If data identifies a living individual it is deemed sensitive enough to be protected under the current act of 1998. All printers hold two categories of data that is protected: staff, and then clients or prospective clients. Staff data includes employment history, health information and remuneration details while the payment and contact details of clients are also protected.
The data is protected via eight principles, set down in the act. These principles govern how the information may be used; for example, restricting the use of information to the specific purpose it was acquired for. Companies must also ensure that they do not hold excessive amounts of customer data, but only that which is necessary. And records must be kept up to date and relevant.
In addition, data should not be kept on file for longer than is necessary, and, whether in electronic or in printed form, data must be kept securely.
The BPIF’s Copley believes that most in the printing industry are aware of the general implications of the act, if not of the detail itself. “Most printers are, of course, aware that you cannot just happily hand over the details of your staff to anybody who asks,” she says.
GI Solutions IT director Darren Crawford concurs. “Some printers will be of the opinion that the Data Protection Act doesn’t apply to them as all they’ve done is print name and address labels for a client,” he says. “But in general I think most professional organisations doing that sort of thing are well covered and do know what their responsibilities are.”
What does this new law say and how will it affect printers?
While the final details of the new legislation will be confirmed by the end of this year, and the European Parliament will vote it through around May 2015, the law will have what is known as a ‘leading-in’ period. This means that it will only become enforced around two years after its initial pass. When it is enforced, it will govern every member state.
Regulators will have greater powers too. If a business loses personal information it will be obliged to inform the regulator, as is already the case in the US. Where the breach is damaging, individuals whose data has been compromised will also have to be informed.
The new regulations are expected to revolve around the same framework as the current Data Protection Act. However, there are key differences that all businesses will need to be aware of.
“The definition of personal data has been extended to include new identifiers such as IP addresses as well as traditional identifiers such as addresses and dates of birth,” reports Carter.
The concept of consent will be strengthened so that when printers are processing data or capturing information when prospective customers visit their website or receive marketing newsletters, they will need plainer privacy policies.
The practical implications of this are that consent guidelines on websites and on paper will not only need to be re-drafted but that consent may need to be obtained with regard to a new action not covered by the original consent.
Not only will the concept of consent become more explicit, businesses could have to start asking for demonstration of consent for any sensitive personal data that they handle. For example, if an order which involved processing personal data came in, printers would have to ask their client to demonstrate the consent of every individual.
“Up until now, it was good enough to look at the circumstances, mitigate around the risk and so long as that mitigation was adequate, that was okay,” explains Crawford. “Our get out of jail free clause on that was that we had to assume that the client had an agreement with their clients. The new act says that we have to ask the client to demonstrate, on every single piece, how they conform to the act. That is a huge amount of work.”
Conclusion
While this new legislation could place a burden, not just on printers, but on virtually every type of business, it is important to note that the exact make-up of the new act has not yet been finalised, and that even when it is, until certain points are tested in court, its practicable reach is not certain.
Having said this, and while the law is only due to come into force in 2017, it is important for every print business to manage its data and prepare for the new regulations. Following PrintWeek’s basic guidelines (below) to protecting data is a great way to start.
PROTECTING YOUR DATA
Make sure that retention of personal data is minimised to only what is necessary
Train and educate staff on data protection principles and the organisation’s policies
Define responsibilities for data handling and accountability at a senior level
Ensure that clear and express consent is obtained from those individuals whose personal data you’re handling
Maintain strong security systems, both physical and electronic, which are reviewed regularly
Maintain written policies for data handling and records management, including data retention and data minimisation, and review these regularly
CASE STUDIES: SIGNIFICANT DATA BREACHES
August 2005 A former AOL engineer was sentenced to over a year in prison for stealing 92m screen names and email addresses and selling them to spammers. The 92m AOL customers received around 7bn unsolicited emails between them. The engineer had used another employee’s access code to steal the list of AOL customers in 2003 from its headquarters.
November 2007 HMRC lost personal details of Standard Life customers, meaning that around 15,000 could be at risk of fraud. The data was on a CD sent from HMRC’s Newcastle office to Standard Life’s Edinburgh headquarters. However, the CD, which contained names, pension data and national insurance details failed to arrive. Customers were only notified of the breach five weeks after the event.
June 2011 A number of non-encrypted laptops went missing from NHS North Central London, with one confirmed stolen. Although all laptops were password protected, they contained sensitive information on health records. Importantly, and against NHS guidelines, the laptops were not encrypted.