Business, Brexit and the GDPR
Last year, there were 3.6m cases of computer fraud in the UK alone, representing approximately one case for every 18 residents. A large proportion of such crime targets individual data, utilising personal details to access bank accounts and steal money.
These crimes are not limited to the domestic sector. Following on from the infamous TalkTalk, Yahoo and NHS data breaches, recent events in the US have seen credit checking giant Equifax fail to provide sufficient measures to protect customer data. Conservative estimates speculate that private damage claims issued against Equifax could even cause the company to cease trading.
It is these high-profile cases, together with increasingly rapid changes to the information technology landscape, that has prompted EU regulatory bodies to update existing data protection frameworks with the GDPR.
Increasing protection: enter the GDPR
Following the increasing need for a new approach to data protection on the business stage, the EU is set to introduce the General Data Protection Regulation (GDPR) on 25th May 2018.
This new legislation replaces the Data Protection Directive (DPD) 95/46/EC and is designed to create consistency in corporate data handling across the multiple jurisdictions in the union.
When the DPD was originally approved in 1995, technologies such as third-party cloud storage and social media platforms were non-existent. Only around 1% of EU citizens used the internet and the protocols for accessing information were tediously slow compared to the superfast fiber optic cable that supplies bandwidth to urban centres.
With the proliferation of new data types, data-mining techniques, digital marketing and the rise of smartphone technology, the need for legislation that handles the ubiquity has risen exponentially.
UK Business: ICO and the GDPR
Does your business need to be GDPR compliant? If you are UK-based, the advice offered by the Information Commissioners Office, the agency currently tasked with the enforcement of the existing Data Protection Act, is that “if you are currently subject to the DPA, it is likely that you will also be the subject of the subject of the GDPR”.
The following statement was made by a spokesperson for the ICO, speaking to the BBC on the matter of enforcing the GDPR in the UK: “The new law equals bigger fines for getting it wrong, but it is important to recognise the business benefits of getting data protection right. There is a real opportunity for organisations to present themselves on the basis of how they respect the privacy of individuals – and gain a competitive edge.”
Further focus was made in the statement to the implications of failing to comply with the GDPR: “But if your organisation can’t demonstrate that good data protection is a cornerstone of your business policy and practices when the new law comes in next year, you’re leaving your organisation open to enforcement action that can damage both public reputation and bank balance.”
Key regulatory changes presented by the GDPR
Some of the most notable changes to current regulation put forward by the GDPR include the following updates and revisions to existing measures:
- Extra territorial applicability – previously data protection measures were taken “in the context of the establishment”, which meant that if companies processed data overseas then they could not be punished for breaches in legislation. The GDPR is very clear on this matter; if the data belongs to EU citizens, then the new legislation applies regardless of where it is processed.
- Increased fines – the GDPR raises the level of financial penalty for breaches to 4% of the annual global turnover of a company or €20mn (US$23.6mn), whichever represents the larger amount.
- Consent to data use – companies will no longer be able to use long terms and conditions full of complex legal definitions and must now present the purposes of data processing in clear and plain regional language. Equally, facilities for the withdrawal of consent must be easy and simple.
GDPR and Brexit: business hesitation
With Brexit now looming, many UK-based companies have previously been unsure of the extent to which the GDPR is likely to impact their operations.
A survey conducted by Crown Information Management services in March 2017 reported that at the time 24% of businesses had ceased making provisions for implementing the regulations, with tech and data handling companies making up 44% of this percentile.
Official UK Government statement
On the 21 June, the UK Government put an end to the suspense and revealed its intentions to press ahead and bring the GDPR into domestic law. This was confirmed in the Queen’s speech, which looked at the role data plays in commerce, with the following statement noting: “Over 70% of all trade in services is enabled by data flows, meaning that data protection is critical to international trade.”
However, according to research conducted in July 2017, it seems that many UK businesses have failed to be polarised into action by the Government’s ruling.
The study, conducted by one of the UK’s first fully compliant GDPR job boards, CareersinCyber.com, together with London law firm Hamlins LLP, produced the following statistics on the readiness of UK companies for the impending change.
- 73% have not allocated any budget for compliance
- 53% are yet to appoint a data protection officer
- 15% believe that Brexit means exemption from the GDPR
- 12% claim that they do not have the existing funds for compliance
- 11% do not consider there to be any risk to their business
Matthew Pryke, one of the partners at Hamlins made the following statement about these findings: “Despite awareness about the GDPR, too many businesses are complacent and think because of their size or nature of business they are somehow exempt from having to comply. Regardless of Brexit, this regulation – even with the words EU fronting the name – will still apply for all businesses operating in the UK. Those who leave it to chance and don’t prepare now, could be left high and dry if the Information Commissioner’s Office find businesses breach regulations.”
Implications to personal data management
Perhaps the greatest challenge to UK based businesses will be when the UK finally ceases to be an EU member state. In 2015, the EU courted invalidated special location specific measures that allowed for the freedom of data processing between the US and the EU; ending the so called safe harbour scheme, in response to the NSA affair revealed by Edward Snowden.
Once the UK leaves the EU, it is therefore expected that there will be no special provisions made for the processing of personal data. This is perhaps one of the key factors that forced the Government’s hand in implementing the June 2017 ruling, as it is hoped that the UK will receive a formal adequacy decision from the European Commission. Failure to receive such a decision could see a significant impact to business between the UK and the EU.
Finally… financial implications
With the UK currently exploring the opportunities represented by global trade, the EU remains a viable and profitable market for all types of UK based services. No one can predict at this stage what implications there will be for data based industries currently trading and working with EU member states - save to say that there are likely to be difficulties.
However, as many businesses in the EU equally benefit from access to the lucrative UK market, hopefully it will be in the best interests of both parties to find workable arrangements that facilitate no impact on the continuous flow of trade.
SAS: Improving the British Army’s decision making with data
SAS’ long-standing relationship with the British Army is built on mutual respect and grounded by a reciprocal understanding of each others’ capabilities, strengths, and weaknesses. Roderick Crawford, VP and Country GM for SAS UKI, states that the company’s thorough grasp of the defence sector makes it an ideal partner for the Army as it undergoes its own digital transformation.
“Major General Jon Cole told us that he wanted to enable better, faster decision-making in order to improve operational efficiency,” he explains. Therefore, SAS’ task was to help the British Army realise the “significant potential” of data through the use of artificial intelligence (AI) to automate tasks and conduct complex analysis.
In 2020, the Army invested in the SAS ‘Viya platform’ as an overture to embarking on its new digital roadmap. The goal was to deliver a new way of working that enabled agility, flexibility, faster deployment, and reduced risk and cost: “SAS put a commercial framework in place to free the Army of limits in terms of their access to our tech capabilities.”
Doing so was important not just in terms of facilitating faster innovation but also, in Crawford’s words, to “connect the unconnected.” This means structuring data in a simultaneously secure and accessible manner for all skill levels, from analysts to data engineers and military commanders. The result is that analytics and decision-making that drives innovation and increases collaboration.
Crawford also highlights the importance of the SAS platform’s open nature, “General Cole was very clear that the Army wanted a way to work with other data and analytics tools such as Python. We allow them to do that, but with improved governance and faster delivery capabilities.”
SAS realises that collaboration is at the heart of a strong partnership and has been closely developing a long-term roadmap with the Army. “Although we're separate organisations, we come together to work effectively as one,” says Crawford. “Companies usually find it very easy to partner with SAS because we're a very open, honest, and people-based business by nature.”
With digital technology itself changing with great regularity, it’s safe to imagine that SAS’ own relationship with the Army will become even closer and more diverse. As SAS assists it in enhancing its operational readiness and providing its commanders with a secure view of key data points, Crawford is certain that the company will have a continually valuable role to play.
“As warfare moves into what we might call ‘the grey-zone’, the need to understand, decide, and act on complex information streams and diverse sources has never been more important. AI, computer vision and natural language processing are technologies that we hope to exploit over the next three to five years in conjunction with the Army.”
Fundamentally, data analytics is a tool for gaining valuable insights and expediting the delivery of outcomes. The goal of the two parties’ partnership, concludes Crawford, will be to reach the point where both access to data and decision-making can be performed qualitatively and in real-time.
“SAS is absolutely delighted to have this relationship with the British Army, and across the MOD. It’s a great privilege to be part of the armed forces covenant.”