Peter Galdies, Development Director at DQM GRC, gives six reasons why UK businesses must still heed the General Data Protection Regulation (GDPR).
Whilst the decision by the people of the United Kingdom to leave the European Union has implications for the legislative
framework for privacy in the UK, these implications are unlikely to signifiantly affect the need for organisations to adopt the General Data Protection Regulation (GDPR). Here are six reasons why:
Reason 1: The 2+ year negotiation phase…
Formal negotiations for exit won’t start until after Article 50 is invoked (giving our offiial notice to leave the EU), and this now looks likely to be in September 2016 at the earliest. During the mandatory 2-year MINIMUM period, all existing legislation (including GDPR) will continue as before. This period of negotiation could be much longer; many estimate as long as 3-6 years. The GDPR is actually already law and although organisations have a 2-year window in which to meet compliance, it would be unwise for businesses to assume that after this period there will no longer be a need to comply.
Reason 2: Trading with the EU?
The GDPR applies to, and can be enforced against, organisations that process data on EU citizens regardless of their nationality or location. It doesn’t matter if you are in France, Germany, the USA or India, the GDPR law (and its subsequent penalties) can be applied. Therefore, UK-based organisations attempting to do business with EU citizens in Europe must comply with the Regulation. Failure to do so presents the risk of substantial fies – up to 4% of global turnover.
Reason 3: We just trade in the UK so we’re OK, right? Maybe not…
With over 3 million EU citizens resident in the UK – and at least 2 million of these in employment – the chances are that your business might have data relating to EU citizens.
The GDPR is primarily concerned with processing personal information about individuals who reside in the EU (although the EU Parliament also seems to consider residence irrelevant), offering goods and services to these individuals or monitoring their behaviour. However, who determines whether someone is a resident or not?
Does a 2-month holiday in London by an EU citizen mean that they are a nonresident? Does the individual need to be granted residency status within the UK to be excluded from the terms of the GDPR?
Reason 4: The Information Commission thinks so…
According to a statement on the 26th June from the ICO: “If the UK is not part of the EU, then upcoming EU reforms to data protection law would not directly apply to the UK. But if the UK wants to trade with the Single Market on equal terms, we would have to prove ‘adequacy’. In other words, UK data protection standards would have to be equivalent to the EU’s General Data Protection Regulation framework starting in 2018.
“Having clear laws with safeguards in place is more important than ever given the growing digital economy, and we will be speaking to government to present our view that reform of the UK law remains necessary.”
This statement implies that our new Information Commissioner (Elizabeth Denham, who has a proven history of backing and enforcing consumer rights while encouraging transparency within business) is likely to encourage legislation that mirrors the requirements of the GDPR. It’s also worth noting that UK privacy professionals were key in shaping this legislation in the fist place – and that the view of what constitutes good privacy doesn’t change simply because we chose to exit the European Union.
Reason 5: Trade negotiations… an easy win.
Over the next few years, the pressure to negotiate a strong trade deal with the EU will drive the adoption of supporting ‘mirror’ legislation designed to minimise barriers to continued trade. Some measures (such as open borders) will be highly contentious. However, it is unlikely that improved privacy protection would be seen as such. In fact, it’s an issue that many could openly support and encourage as an ‘easy win’, which would provide increased compatibility and security for UK-EU trade and improved protection for both groups of citizens.
Reason 6: It needs doing anyway. It’s the right thing to do.
Most of the UK’s existing data protection legislation was written before the widespread adoption of the internet and the globalisation of trade – and the collection of vast amounts of new data about data subjects that followed. Internet-based social media services, such as Facebook and Twitter, didn’t exist and currently enforced laws on data protection were not created to accommodate them.
It’s now easier than at any time before to build and infer much about individuals from the data they generate, often unknowingly, in their day-to-day activities. We are all entitled to a free and private life, so we need laws that help protect us – and the legal framework prior to GDPR doesn’t cut it.
The GDPR, while far from perfect, does offer an improved model for data protection, and it is (perhaps arguably) right and pragmatic for the UK to adopt similar legislation.
So, while it’s true that we are going to be living in uncertain times for a few years, it is likely that privacy will still be high on the agenda. When the next high profie data breach or misuse happens (think TalkTalk), the public reaction is likely be the same regardless of Brexit. Ultimately, the pressure for organisations to retain and build trust will remain – as will the pressure on regulators to govern.
Although the adoption of the GDPR as mirroring UK legislation is highly likely, we should also be aware that Brexit will leave the UK ‘on the outside’ for the development of future privacy legislation that, in practice, may well apply to UK-based organisations. The review of the EU E-Privacy Directive has now started and this is likely to affect how UK businesses can use data and e-mail, social media and other communications to reach EU citizens. It remains to be seen if we have inflence over this in the next couple of years. Even if we do, our voice will be less powerful than before.