According to comments made by the new UK Information Commissioner on BBC Radio 4’s PM programme, she would support the UK adopting EU data protection laws, even after Brexit.
Talking About GDPR.
New UK Information Commissioner, Elizabeth Denham, made her comments about The General Data Protection Regulation (GDPR) which is due to come into force in early 2018.
The UK was very involved in the drafting of the regulation which was designed to make companies take the issue of data protection more seriously and to strengthen the rights that EU citizens have over their data. Even though GDPR originated in the EU, it should apply to all companies worldwide that process the data of EU citizens.
Elizabeth Denham stated on the radio programme that she supported the UK adopting the EU regulation even post-Brexit because if the UK is to continue doing business with Europe, British businesses will need to share information and provide services for EU customers. It should (according to Ms Denham) therefore follow that the data protection law should be equivalent.
Ms Denham also made the point that she would prefer a continuous rather than a “start and stop” regulatory environment in the UK and that adopting GDPR as it comes into force prior to Brexit should help to achieve this.
WhatsApp and the Yahoo Breach.
Ms Denham already appears to have won the favour of many UK consumers through her support of their interests in relation to WhatsApp’s sharing of data with its parent Facebook and through her apparent willingness to start asking Yahoo some difficult questions about its 500 million user account breach on behalf of the estimated 8 million UK users affected.
What Does This Mean For Your Business?
If the Information Commissioner looks likely to push hard for the UK to adopt GDPR regardless of Brexit, then it is important that UK businesses get up to speed with and make sure that they will be compliant with GDPR anyway by 2018.
This will mean for example that:
- Your company will need to be clear about getting consent to use a person’s data for just the specified purpose and not regard silence or inactivity as consent.
- You may need to prepare to select a DPO and your company may require training so that everyone understands basic compliance. This could mean that the kind of human error that could cause a data breach is minimised.
- Your data security policies may need to be changed and the changes promoted across the company. You will also have to develop highly effective systems for monitoring for any data breaches. There will also be the need to design compliance into all data handling and processing systems, and could mean starting the analysis and thought process now to ensure that you are ready for 2018.
- You will have to develop effective systems that ensure fresh consent is gained before you alter the way you use data and that all data on a subject can be easily and quickly deleted on request.
- If your company provides data processing services for anyone else’s personal data you will need to consider your liability and be compliant with the new EU regulations.