No Escape From EU Data Protection Rules With Brexit

Whatever you base your personal views on with regards to staying in or leaving the EU, a recent Computer Weekly article highlighted the inescapable fact that whether the UK stays in or leaves the EU, the new European General Data Protection Regulation (GDPR) will still apply to UK companies dealing with the EU.

GDPR will affect any businesses offering a service to the EU market regardless of where in the world your data is stored or processed i.e. it is about whether you have data that is about EU individuals or data that could identify individuals who find themselves in the EU.

The New Regulation

The Network and Information Security Directive (NISD) is due to come into force this year closely followed by the General Data Protection Regulation (GDPR) in 2018. The much publicised GDPR is intended to provide a European data privacy law that keeps more up to date with the rapid changes of the digital age than the existing UK Data Protection Act 1998 and the EU Data Protection Directive (Directive 95/46/EC), established in 1995.

The GDPR will place a number of obligations upon organisations to fulfil a number of rights under the far reaching regulations.

These include:

  • Being accountable by demonstrating compliance with DP requirements through adopting and implementing policies and procedures such as Privacy Impact Assessments, designing privacy in e.g. by using encryption to protect personal data, and keeping records of personal data use within an organisation.
  • Allowing individuals the “right to be forgotten” (the right to erasure) by erasing all of an individual’s personal data asap on request.
  • Restrictions on profiling of individuals e.g. the right for an individual not to be subject to a decision based on automated profiling. Individuals for example could currently be evaluated / profiled based on work performance, behaviour health or location.
  • Making sure that an individual’s data is freely given, requested in clear and plain language, and allowing individuals to see a copy of the data you hold about them.
  • Reporting any serious data breaches to the Information Commissioner’s Office (UK, mandatory) within 72 hours.

What Does All This Mean For Your Business?

Clearly, a popular suggestion that simply gambling on Brexit is a viable strategy for avoiding getting to grips with the regulations or implementing some significant changes in data security is wrong.

Some of the implications of the changes for your business could be:

  • The costs and complication of ensuring compliance.
  • The challenge of actually being able to delete all data about an individual in a digital age where this is becoming more and more difficult.
  • Possible negative impacts on your business if you use data analytics, credit scoring and employee monitoring because of the need to comply with the profiling regulations.
  • The possibility of receiving significant fines if you don’t report data breaches quickly enough plus the cost and time spent trying to minimise the risks of data breaches and planning for how one could be dealt with.
  • The need for business leaders to quickly learn more about what kinds of cyber security risks they could be facing.
  • The possible damage to more company reputations as they are forced to report all breaches, and the risk of even more serious damage if news of an attack is not publicly handled well by the company.