Business, Brexit and the GDPR

Last year, there were 3.6m cases of computer fraud in the UK alone, representing approximately one case for every 18 residents. A large proportion of such crime targets individual data, utilising personal details to access bank accounts and steal money.

These crimes are not limited to the domestic sector. Following on from the infamous TalkTalk, Yahoo and NHS data breaches, recent events in the US have seen credit checking giant Equifax fail to provide sufficient measures to protect customer data. Conservative estimates speculate that private damage claims issued against Equifax could even cause the company to cease trading.

It is these high-profile cases, together with increasingly rapid changes to the information technology landscape, that has prompted EU regulatory bodies to update existing data protection frameworks with the GDPR.

See also:

• GDPR and data regulation in the EU and beyond

• Netskope report finds that 75% of cloud services are not ready for EU’s GDPR

• Gartner says that worldwide spending on information security will rise 7% and hit $86bn this year

• See the latest issue of Gigabit magazine here

Increasing protection: enter the GDPR

Following the increasing need for a new approach to data protection on the business stage, the EU is set to introduce the General Data Protection Regulation (GDPR) on 25th May 2018.

This new legislation replaces the Data Protection Directive (DPD) 95/46/EC and is designed to create consistency in corporate data handling across the multiple jurisdictions in the union.

When the DPD was originally approved in 1995, technologies such as third-party cloud storage and social media platforms were non-existent. Only around 1% of EU citizens used the internet and the protocols for accessing information were tediously slow compared to the superfast fiber optic cable that supplies bandwidth to urban centres.

With the proliferation of new data types, data-mining techniques, digital marketing and the rise of smartphone technology, the need for legislation that handles the ubiquity has risen exponentially.

UK Business: ICO and the GDPR

Does your business need to be GDPR compliant? If you are UK-based, the advice offered by the Information Commissioners Office, the agency currently tasked with the enforcement of the existing Data Protection Act, is that “if you are currently subject to the DPA, it is likely that you will also be the subject of the subject of the GDPR”.

The following statement was made by a spokesperson for the ICO, speaking to the BBC on the matter of enforcing the GDPR in the UK: “The new law equals bigger fines for getting it wrong, but it is important to recognise the business benefits of getting data protection right. There is a real opportunity for organisations to present themselves on the basis of how they respect the privacy of individuals – and gain a competitive edge.”

Further focus was made in the statement to the implications of failing to comply with the GDPR: “But if your organisation can’t demonstrate that good data protection is a cornerstone of your business policy and practices when the new law comes in next year, you’re leaving your organisation open to enforcement action that can damage both public reputation and bank balance.”

Key regulatory changes presented by the GDPR 

Some of the most notable changes to current regulation put forward by the GDPR include the following updates and revisions to existing measures:

• Extra territorial applicability – previously data protection measures were taken “in the context of the establishment”, which meant that if companies processed data overseas then they could not be punished for breaches in legislation. The GDPR is very clear on this matter; if the data belongs to EU citizens, then the new legislation applies regardless of where it is processed.
• Increased fines – the GDPR raises the level of financial penalty for breaches to 4% of the annual global turnover of a company or €20mn (US$23.6mn), whichever represents the larger amount.
• Consent to data use – companies will no longer be able to use long terms and conditions full of complex legal definitions and must now present the purposes of data processing in clear and plain regional language. Equally, facilities for the withdrawal of consent must be easy and simple.

GDPR and Brexit: business hesitation

With Brexit now looming, many UK-based companies have previously been unsure of the extent to which the GDPR is likely to impact their operations.

A survey conducted by Crown Information Management services in March 2017 reported that at the time 24% of businesses had ceased making provisions for implementing the regulations, with tech and data handling companies making up 44% of this percentile.

Official UK Government statement

On the 21 June, the UK Government put an end to the suspense and revealed its intentions to press ahead and bring the GDPR into domestic law. This was confirmed in the Queen’s speech, which looked at the role data plays in commerce, with the following statement noting: “Over 70% of all trade in services is enabled by data flows, meaning that data protection is critical to international trade.”

However, according to research conducted in July 2017, it seems that many UK businesses have failed to be polarised into action by the Government’s ruling.

The study, conducted by one of the UK’s first fully compliant GDPR job boards, CareersinCyber.com, together with London law firm Hamlins LLP, produced the following statistics on the readiness of UK companies for the impending change.

• 73% have not allocated any budget for compliance
• 53% are yet to appoint a data protection officer
• 15% believe that Brexit means exemption from the GDPR
• 12% claim that they do not have the existing funds for compliance
• 11% do not consider there to be any risk to their business

Matthew Pryke, one of the partners at Hamlins made the following statement about these findings: “Despite awareness about the GDPR, too many businesses are complacent and think because of their size or nature of business they are somehow exempt from having to comply. Regardless of Brexit, this regulation – even with the words EU fronting the name – will still apply for all businesses operating in the UK. Those who leave it to chance and don’t prepare now, could be left high and dry if the Information Commissioner’s Office find businesses breach regulations.”

Implications to personal data management

Perhaps the greatest challenge to UK based businesses will be when the UK finally ceases to be an EU member state. In 2015, the EU courted invalidated special location specific measures that allowed for the freedom of data processing between the US and the EU; ending the so called safe harbour scheme, in response to the NSA affair revealed by Edward Snowden.

Once the UK leaves the EU, it is therefore expected that there will be no special provisions made for the processing of personal data. This is perhaps one of the key factors that forced the Government’s hand in implementing the June 2017 ruling, as it is hoped that the UK will receive a formal adequacy decision from the European Commission. Failure to receive such a decision could see a significant impact to business between the UK and the EU.

Finally… financial implications 

With the UK currently exploring the opportunities represented by global trade, the EU remains a viable and profitable market for all types of UK based services. No one can predict at this stage what implications there will be for data based industries currently trading and working with EU member states - save to say that there are likely to be difficulties.

However, as many businesses in the EU equally benefit from access to the lucrative UK market, hopefully it will be in the best interests of both parties to find workable arrangements that facilitate no impact on the continuous flow of trade.