Fastest 50: A new digital law unto itself

ON FILE: Gareth Yates warns that new regulations will change the way companies collect, analyse and protect data.
ON FILE: Gareth Yates warns that new regulations will change the way companies collect, analyse and protect data.
Have your say

Technology continues to play a major part in the Ward Hadaway Yorkshire Fastest 50, not just in the business of companies such as Azzure IT, ESP Systex and Hisense UK, but also in the day-to- day operations of almost every commercial concern.

From online payments and ordering to mobile communications and working remotely, technology has become so integrated with our lives that we almost forget it’s there.

A cursory look into the future and we can see developments such as artificial intelligence, machine learning and digital virtual assistants becoming mainstream parts of many businesses.

As well as this, the increasing proliferation of data, allied to sophisticated mapping tools, will offer companies potentially ever greater insights into what their customers want.

However, just as technology is moving on apace, so is the law. The General Data Protection Regulation (GDPR) comes into effect from May next year, signalling one of the biggest changes in the way in which companies collect, analyse and protect data.

The GDPR has been put together with the aim of giving people control of their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU and, despite Brexit, the UK.

It brings with it new responsibilities for companies with any involvement in controlling or processing personal data – whether from customers or employees – and new penalties for those who don’t comply, including in the worst cases fines of up to four per cent of total worldwide turnover.

So what do companies need to do?

For businesses which hold or process personal data, the Information Commissioner’s Office (ICO) in the UK has put together a 12-point plan to prepare for GDPR.

This includes carrying out an information audit to document the data you currently have, reviewing privacy notices, checking procedures surrounding data breaches and looking at how you obtain individuals’ consent to hold and use the data which you have on them.

The ICO also advises companies to check the legal basis on which they are holding or processing personal data and to look at how they verify individuals’ ages and deal with information on children.

For companies which use personal data to run or develop products and services – such as app developers or smartcard system operators – there will be other changes in how they go about their business.

This is because the GDPR introduces the concept of “privacy by design and by default” – requiring businesses to implement data protection measures within the design of new products, services or other data-processing activities rather than adding on such protections once the products/services/activities have been developed.

What will this mean in practice?

Essentially, businesses starting a new project which involves the use of personal data will have to build in safeguards right from the start. This could include things like conducting a privacy impact assessment to record that they have considered the data protection implications of the project.

Data protection also needs to be taken on board throughout the development phase with careful consideration to how any modifications to original designs or specifications could alter how data is used. Final testing and monitoring will also need to encompass data protection considerations before the product is launched.

In conclusion, the pace of technological advance which we have seen over recent years may be about to accelerate, but this will not be a lawless “free for all”. Careful steps will need to be taken to ensure enthusiasm for new technology does not cost companies dear.

• For more information on the issues raised by this article, contact Gareth Yates at or on 0113 205 6766.