Brexit has certainly raised many questions with business leaders, but none more so than around the impending EU General Data Protection Regulation (GDPR). In fact, I recently read that one in four businesses have cancelled all preparations for the GDPR as they mistakenly believe the rules will no longer apply in the wake of the triggering of Article 50 last month. What’s more, and perhaps even more worryingly, nearly half (48%) have not even begun to prepare for the changing regulations, which come into effect next year.
It’s important to realise that while Brexit has undeniably created many uncertainties for businesses, the GDPR will still apply for all businesses operating and trading within the European Union, regardless of whether the UK leaves.
Heralded as “a major step forward for consumer protection”, the GDPR seeks to harmonise data protection regulation and provide people with greater control over their personal data, safeguarded by the knowledge that all organisations in the EU will be playing from the same hymn book.
Come May 2018, the GDPR will place an even greater onus on organisations to safeguard the personal data they hold from cyber-attacks. Companies will now have more of an obligation to protect the personal information entrusted to them, no matter how it’s processed. If they do not comply with this additional responsibility, the penalties for leaking customer data could be larger than ever before – with reported fines of up to €20m or 4% of annual worldwide turnover for groups of companies, whichever is greater.
The GDPR also makes clear another important factor that we should already have known: that you can outsource your risk, but you can’t outsource your responsibility. If organisations use a third party provider to store and manage data, such as a cloud provider, they are still responsible for its protection. They must, therefore, demonstrate exactly how the data is protected in the remote system. As such, formal privacy-by-design techniques need to make their way down the supply chain if companies are to avoid the penalties.
Under the new regulations, organisations will also have to provide citizens with online access to any of their own personal data they store. While the Data Protection Act traditionally allowed anyone to request access to this data, with GDPR in effect, organisations must make this available for download ‘where possible’ and ‘without undue delay’. This is a very significant change and securing this access will represent a significant challenge to many organisations, especially while still complying with the new tighter rules. It will also require robust cybersecurity technology across the board.
Brexit or no Brexit, businesses need to be ready for the GDPR. Firstly, the deadline of May 2018 will be in place before plans for Britain to leave the EU are actioned and secondly, the data protection rules will still apply to businesses that handle the personal information of European citizens.
Given the stringency of the new rules spelled out by the GDPR, and the potential for significant penalties and reputational damage, organisations need to start planning now to ensure compliance in time for the May 2018 deadline. The clock is ticking…