Sometimes I wonder whether the complex and high profile data protection cases that go through the European Court of Justice do more harm than good in advancing the adoption of good data protection practice. These cases are complex and inaccessible to most of us. They are argued by highly trained legal teams. The judgements are technical and written in torturous language that is difficult to understand. (Try putting an extract of a recent legal judgement through a readability engine, the results are very funny!). These cases can be important to challenge ambiguities in the law. They often highlight holes in legislation that the unscrupulous exploit (or carelessly ignore) at the expense of the vulnerable in our society. They raise genuine challenges to civil liberties. But they also send the message that data protection is complex, that its technical, that it’s something that requires teams of lawyers and long unreadable legal agreements to be presented to the end users.
Complex legal cases scare businesses
It’s not a good message. It scares businesses into thinking that data protection is expensive and out of their reach. Companies don’t know how to deal with data protection and as a result, they ignore it. This is in nobody’s best interests. Businesses are taking risks of complaints, audits and fines. They are risking their business reputation and loss of customer trust. They are collecting data but not putting in place simple policies to handle that data in a trustworthy manner. With GDPR fast approaching they are taking very significant risks as headline-grabbing fines are introduced and data protection authorities are given more powers to pursue offences. It does not have to be this way. In most companies, it is relatively straightforward to ensure that good data protection standards are observed. It is a matter of knowing what data you handle and getting simple, safe practices in place to ensure it is handled correctly. Data protection only really becomes complex for very large businesses who handle large volumes of customer data. Its complex for Google and for Facebook because their businesses are data-centric. Its complicated for banks and insurance companies because they are regulated industries and handle sensitive financial information. Large healthcare providers find it complex because they handle sensitive health information. Cloud service providers find data protection complicated because they store large volumes of data at multiple locations across the globe.
Data Protection is simple – most of the time
It’s not complex for most businesses. Most of the time it comes down to two critical steps – staff awareness and common sense. It’s not going to cost a fortune for most small and medium companies – in fact, SMEs are explicitly excluded from many of the more onerous requirements of the new European Regulation (GDPR). For most companies, data protection is as simple as “Three S” – Simple, Secure and Staff.
- Keep it simple – don’t collect more data than you need and don’t keep it for any longer than necessary.
- Keep it secure – put appropriate security measures in place, restrict access to personal data to those who need to access and be vigilant.
- Train your staff – make sure your staff know how to handle the data and when to disclose it and when not to disclose it to others.
Keeping these in mind will help you to manage the costs of handling and protecting personal data. It will ensure that data protection in your company is as simple as possible!