The EU’s General Data Protection Regulation (GDPR) was approved earlier this year, and businesses and organisations across the UK started to think about how they would prepare for it coming into force in May 2018.
But now that the UK is on the path to leaving the EU, does Brexit and the General Data Protection Regulation still have any relevance? The answer is yes.
The reality is that Brexit hasn’t really changed very much in the world of data protection, for two reasons:
- The UK will come up with its own data protection law, which is likely to follow the same format as the GDPR
- If your company deals with EU businesses you still need to be compliant by the time it comes into force.
Below I go over what your business or organisation needs to do over the next 21 months or so.
- Ensure that you will be compliant by the deadline
When the GDPR comes into force, cross-border transfers of personal data from the EU – an essential transaction for many businesses - can only be made to countries that comply with the data protection requirements of the new law.
This means that the UK must ensure that its own new law ensures that British businesses are GDPR-compliant by that date. If they are not, transfers of personal data will involve significantly more red tape.
But what happens if companies carry on with ‘business and usual’ and don’t make an effort to comply?
The penalty for non-compliance is up to four percent of turnover. That’s right, turnover, not profit. This is a much higher penalty for non-compliance than under existing rules, and it is likely that a number of companies will be made scapegoats when the GDPR is introduced.
Being found to be non-compliant would not only have a financial impact, but a reputational one too. Think back to when TalkTalk's profits halved after a cyberattack on its mobile sales site led to a data breach.
- Introduce ‘Privacy By Design’
The GDPR explicitly recognises the concept ‘privacy by design’, obligating businesses to consider data privacy at the design phase of a project, and through the entire lifecycle of data processing.
Policies, procedures and systems need to be designed to be compliant from the start, and every time a system is updated, there is also a need to make sure it’s compliant. In other words, compliance with GDPR is a never ending circle!
- Ensure that you have control and visibility of your data
Increasingly, data is stored in the cloud – but the GDPR requires you to have control and visibility of your data, wherever it is. That means you need to know physically where it is, and who has access to it.
For example, under the new law, data subjects have some new rights, including the right to request deletion of their personal data in certain circumstances (such as when it is no longer needed for the purpose for which it was initially collected). This means that you need to be able to find and delete data when required.
You might have outsourced control of your data, but you cannot outsource the responsibility you have to it!
This can be tricky enough, but data can be even more problematic if it has multiple sources. You need a solution that gives you an overview of all your data.
- Establish if you need to have a Data Protection Officer
If the core activities of your company or organisation are related to ‘systematic monitoring of data subjects on a larger scale’, or large-scale processing of “special categories” of data (such as racial or ethnic origin, or health-related information) then under the GDPR you are required to have a Data Protection Officer. It is important to establish this sooner rather than later – it is estimated that 28,000 such officers will be needed by the compliance date, but that there are insufficient numbers of specialists with the right skills.
Some businesses are saying ‘we don’t need to worry for now, the government will sort this out over the next couple of years’.
But it is becoming increasingly clear that arrangements for Brexit are moving slowly, and that data protection is just one area of law that the government will have to look at. It is also clear that the GDPR will still be of relevance for British businesses and organisations who have dealings with EU companies.
That means that the date the GDPR comes into force is still a date that you need to be prepared for. Brexit will bring many changes to many areas, but data protection is not one of them.