November 6, 2015

Safe Harbour – Preparing for the New Data Protection Laws

With ever-evolving tech and more of our data going online by the day, it’s no secret that the law has struggled to keep up. There have been many developments in Data Protection laws recently, and although it sounds about as much fun as a hole in the head, in the wake of the Safe Harbour ruling and with tougher EU privacy rules (in the form of the draft Data Protection Regulation) expected to come into force in early 2017, it’s more important than ever that you know what all of it means for your data, and your customers’, and prepare accordingly.

The new bill will affect everyone collecting or storing data online or in the cloud so burying your head in the sand is no longer an option. The grace period for due-diligence ends Jan 16th 2016, so by then you must know where your data is, the laws that govern it, what you need to do to secure it, and the very real price you will pay if you don’t.

What are data protection laws?

Data protection laws exist to strike a balance between your right as an individual to privacy and the ability of organisations to use data for the purposes of their business. The bill extends an obligation to ensure appropriate technical and organisational measures are taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data to anyone who stores other people’s personal data.

When the changes come in, the bill and the new data protection laws are really going to start to have some teeth.  The finer points are still being debated but a few of the big things it’s expected to include are much higher fines for non-compliance based on a percentage of turnover and more prescriptive rules around fair processing of personal data; more accountability and far more fines and enforcement by the Information Commissioner.

What are your obligations?

In order to comply with the current Data Protection Act, a data controller (people who determine how data is processed) must comply with the following eight principles:

  1. The data should be processed fairly and lawfully and may not be processed unless the data controller can satisfy one of the conditions for processing set out in the Act.
  2. Data should be obtained only for specified and lawful purposes.
  3. Data should be adequate, relevant and not excessive.
  4. Data should be accurate and, where necessary, kept up to date.
  5. Data should not be kept longer than is necessary for the purposes for which it is processed.
  6. Data should be processed in accordance with the rights of the data subject under the Act.
  7. Appropriate technical and organisational measures should be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
  8. Data should not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

There are many more in-depth requirements of data controllers and when processing data which you should investigate further independently, because you’d be reading this blog forever if I listed them all here.

One of the points above worth highlighting though is that as well as knowing where your data is at all times, you need to ensure that you’re securing your data effectively with ‘appropriate measures’ against attackers and data loss. For many businesses this will mean outsourcing your security to an accredited third party that can deal with everything from firewalls to penetration testing.

What are the main risks if you don’t comply?

Financial – the most obvious and immediate issue is that you and your clients will probably lose money if you experience an attack. You’ll experience the joy of some hefty non-compliance fines, which are currently in the region of £500k, but the expectation is in future this will move to a percentage of your overall worldwide turnover.

Operational – the time it will take to get your business back on its feet and potentially moving your data.  And lost time means lost revenue.

Reputation – potentially the worst in the long term, reputation is easy to lose and hard to get back.

What’s the bottom line for Romax clients?

Romax customers don’t have to worry about the concerns relating to Safe Harbour as we keep all our customer data in our on site server and backed up to a UK-based, IS27001 and PCI compliant UKFast data centre, so you can be assured more stringent UK laws govern the protection of your data.

Being IS27001 compliant and/or using UKFast who are ISO27001 compliant gives both customers and the Information Commissioner assurance that they have taken “appropriate technically and organisational measures” to protect data.

Romax clients aren’t affected by any of the Safe Harbour ruckus, but if the company that you host with doesn’t keep their data on British soil you could be; and no matter who you are the expected DP changes will affect you, so here’s what you need to know. Romax use UK Fast for our cloud back up and have an onsite server for secure data storage. Watch a Microsoft video report about our IT investment.


Source Content courtesy of  UK FAST 27 Oct 2015 by Katherine Kelly.


romax_logo_tag_blueRomax Marketing & Distribution, a Greenwich-London based company, provides a wide range of services in Direct Marketing for B2B and B2CDirect Mail, Data Management, Printing, Discount Postage and Membership Communication Services and Consultancy. Contact us: +44 (0) 20 8293 8550

Contact Us


« »