One of the inescapable realities of modern business is that almost every organisation, regardless of their size and sector, is likely to be reliant on digital data of varying levels of sensitivity.
Given this context, the new General Data Protection Regulation (GDPR) represents one of the most important pieces of European legislation to be introduced in recent times, as it will implement a number of new rules governing the use of personal data by businesses, with penalties awaiting those organisations found to be non-compliant.
However, in the UK, the recent vote to leave the EU may have created a question for many companies as to whether or not GDPR will still apply to them. The short answer to that question is "yes" - but the specifics of how Brexit will affect the implementation of the GDPR is still a subject upon which businesses would do well to educate themselves.
The primary purpose of GDPR is to provide EU citizens with enhanced protection from data breaches and to give them greater control over their own privacy, as current regulations governing these issues were established in 1995 and are therefore now significantly out of date.
GDPR will apply to all companies processing the personal data of people residing in the EU, and will require companies to make it easier for customers to withdraw consent for the use of personal data. It will also allow people to ask for their personal data held by companies to be erased, and will mean that companies have to ask for specific consent when processing sensitive personal data.
Businesses will also need to provide immediate notifications when data breaches occur, to make it easier for individuals to find out what personal data an organisation holds on them, and to move this information between service providers.Any companies found to be violating GDPR can be fined up to four per cent of their annual global turnover or €20 million (£17 million), whichever is greater. This underlines how seriously the new rules are being taken, and the vital importance of compliance.
The terms of the GDPR were approved in April 2016, with the support of the British government. However, a mere two months later, the country voted to terminate its EU membership, causing confusion about the application of the new rules in the UK.
The GDPR enforcement date has been set for May 25th 2018, at which time non-compliant organisations will face heavy fines. The UK will still be an EU member at this point, and will therefore be subject to the rules from that date; however, businesses should not expect their GDPR obligations to end when Brexit occurs in March 2019, as the British government has already proposed a new Data Protection Bill that will enshrine the basics of GDPR in British law.
This is because the scope of GDPR extends to all companies holding data on EU citizens, regardless of where the business is based, meaning that continued compliance with these rules is essential if UK companies wish to carry on trading legally in Europe post-Brexit.
As such, any companies that are not already fully compliant with GDPR must act now to make sure they are ready for the May 2018 deadline.
This process should include raising awareness of the new rules among all relevant decision-makers, carrying out an information audit to determine your responsibilities, and examining current privacy and consent policies to see if any changes need to be made. It's also essential to make sure that the right procedures are in place to detect, report and investigate any data breaches, and to ensure that someone within the company is taking responsibility for data protection compliance.
Businesses that require additional guidance on how to prepare properly for this highly significant regulatory change should consider taking Virtual College's free overview course on the GDPR, which explains all the changes you need to be aware of as a risk owner. By providing your staff with the right training, you can make sure the transition to GDPR goes smoothly, regardless of any new developments that Brexit may bring.
Summary: Europe's new General Data Protection Regulation will continue to impact British businesses despite the UK's departure from the EU, so it's important for businesses to examine how Brexit will affect the implementation process.