The issue of personal data protection will become increasingly important with the introduction of new rules on May 25, 2018. Known as the General Data Protection Regulation (GDPR), the rules are set to have a major impact on businesses in our industry, in two differing ways, writes Paul Reeve, the electrical trade association ECA‘s Director of Business; and Steve Martin, pictured, ECA Director of Technical.
What all businesses need to know
Firstly, almost all businesses need to take note of the broader issue of protecting the data of individuals when developing their company systems and managing customer records.
At present, the Data Protection Act 1998 (DPA) places certain requirements on businesses, but the GDPR will go significantly further than the DPA. The GDPR will apply to the processing of any personal data within a company, and significantly, it will give individuals more influence over the information organisations hold on them, and how it is used.
Businesses will need to ensure that individuals can withdraw their data sharing consent easily, and significantly, also have the right to have their records deleted promptly. Individuals will also be entitled to ask for a copy of all data being held in relation to them, and an explanation of what it is used for.
Those businesses that hold the original data will also be accountable for how any third parties use personal data, and could face penalties due to non-compliance by these other organisations.
Data protection within the built environment
Another key element for engineering services businesses is how data protection will interplay with the built environment, such as integrated technology and security systems installed within buildings. As noted above, ‘personal data’ is covered by the DPA, and the incoming GDPR. Crucially, the ability to identify an individual depends partly on data held about the individual, and partly on other information gathered by the building infrastructure and sensors. This information held could well qualify as ‘personal data’.
To give an example, physical access control if installed in a building will transmit, receive, store, and even remotely monitor information. The data produced from this alone may not identify the occupants. However, if access fobs are assigned or tagged to employees, or even if video surveillance, biometrics or facial recognition is used, then that stored information will become personal data, as individuals and their movements would be identifiable.
Ensuring that intelligent installations can be protected against hacking could therefore be very significant to contractors and installers. If a system becomes compromised, then IT systems could be hacked and data stolen, destroyed or manipulated, thereby putting constructors and contractors at risk of being non-compliant with existing data protection laws and regulations.
Many engineering services businesses are already well placed to help clients with cyber security issues, ranging from device selection and maintenance, to systems integration. However, taking full advantage of this opportunity will mean extending existing skillsets.
Non-compliance
If an organisation experiences a data breach, the GDPR requires this to be reported to stakeholders and the regulatory authorities within 72 hours of the breach being discovered. Furthermore, the Information Commissioner’s Office (ICO) can audit a business at any time from 25 May 2018, regardless of whether a breach has occurred. Non-compliance with the regulations could lead to significant fines of up to four per cent of total business revenue.
While there is some commercially-driven hype about what’s needed for even small business to comply with GDPR, the new regulation will apply to the bulk of small and large businesses in our sector, and there is no room for complacency. The clock is ticking down to May 2018 and new, practically useful personal data protection systems will need to be identified and set up.
With this in mind, now is the time for all businesses to consider what GDPR means for them, and to start creating what they need to ensure compliance.
About the Electrical Contractors’ Association: visit eca.co.uk.
