Britain’s decision to leave the European Union has led some data professionals to think that they will no longer be affected by EU’s General Data Protection Regulation (GDPR) due to come into force in 2018.
“Although it’s very early days, there are some misconceptions around the impact of Brexit on the many thousands of organisations responsible for storing and managing sensitive personal data,” said John Cassidy, VP EMEA, Ground Labs.
Any business that stores, transmits or processes personal information has a duty of care to ensure this sensitive information is secure and safe. Prior to Brexit, the GDPR was gaining momentum in the UK as a government driven regulation that businesses must comply with or face substantial penalties in the event of personal information being lost or stolen.
“We have discussed the issue with a number of UK businesses that believe if Britain leaves the EU then the requirements of GDPR will somehow be overridden. This is entirely unfounded as the risks of ignoring the new global data regulations will remain.”
One critical area is in terms of customer retention. UK companies with customers within the EU will need to ensure that they are GDPR compliant if they want to continue trading with those customers.
“A common misconception is that the GDPR applies to companies within Europe, but it’s actually designed to protect European consumers. This means that if you are handling even one European customer’s personal information, you are tasked to handle his information in line with the GDPR, or face the consequences.”
Furthermore, as uncertainty over the economic implications of Brexit are likely to continue until a trading agreement has been established, ensuring full GDPR compliance could now be more complicated than before the EU vote. There is also a potential grey area over the applicability of GDPR for UK businesses dealing with EU citizens based within the UK.
Cassidy added, “There is some evidence to suggest that for UK organisations, the timetable for compliance has moved forward. By leaving the EU, the demonstration of compliance could be a longer, more involved procedure for those companies affected.”
“At the recent PCI London event in Victoria, a representative from the ICO discussed the fines that will go to the exchequer via the treasury. “This will absolutely focus businesses to ensure they are prepared for GDPR - or its British doppelgänger.”
The ICO has also made statements to indicate that once the UK leaves the EU, it is likely to introduce new regulations that would be similar in scope to those laid out by GDPR.
John Cassidy added: “GDPR is not going away and Brexit is certainly not a green card for those wishing to avoid the reputational damage, financial losses and considerable fines associated with a security breach. These data regulations should not be seen as extra homework to be dodged, they are designed to prevent devastating data breaches that can cost millions and could lose you customers.”
Legal Eagles: Back in May comms Business asked for legal advice on the issue in case of a Brexit vote and got the following opinion from Justin Tivey, Legal Director at law firm Bond Dickinson.
“Leaving aside a possible Brexit vote GDPR will be part of UK law immediately. The Regulation has built into it a 2-year period for everyone to prepare to comply and its provisions will actually take effect in the summer of 2018.
The GDPR also seeks to establish a one stop shop to limit the data protection authorities to which multi-jurisdictional organisations need to answer. Previously most data protection obligations fell upon data controllers as opposed to data processors. The GDPR applies to both.
The two-year implementation period may sound relaxed but it will only be so for those who start to tackle the issues raised by the GDPR now. At its heart however data protection is about the same issues – understanding what data you hold and why.”
Ed Says… This is definitely one to watch. Sanctions for non-compliance with the regulation have not only been made uniform, but they have been increased considerably. For a minor breach, organisations can be fined up to 2% of their worldwide revenue or 10 million Euros, whichever is higher, although a warning can be given for first offences.