49
PRINT
IT
RESELLER.UK
COMPLIANCE
Whilst the decision by the people
of the United Kingdom to leave the
European Union has implications for
the legislative framework for privacy
in the UK, these implications are
unlikely to significantly affect the need
for organisations to adopt the General
Data Protection Regulation (GDPR).
Here are six reasons why:
Reason 1: The 2+ year negotiation
phase…
Formal negotiations for exit won’t start
until after Article 50 is invoked (giving
our official notice to leave the EU), and
this now looks likely to be in September
2016 at the earliest. During the mandatory
2-year MINIMUM period, all existing
legislation (including GDPR) will continue
as before. This period of negotiation could
be much longer; many estimate as long as
3-6 years. The GDPR is actually already law
and although organisations have a 2-year
window in which to meet compliance, it
would be unwise for businesses to assume
that after this period there will no longer
be a need to comply.
Reason 2: Trading with the EU?
The GDPR applies to, and can be enforced
against, organisations that process data on
EU citizens regardless of their nationality
or location. It doesn’t matter if you are
in France, Germany, the USA or India, the
GDPR law (and its subsequent penalties)
can be applied. Therefore, UK-based
organisations attempting to do business
with EU citizens in Europe must comply
with the Regulation. Failure to do so
presents the risk of substantial fines – up
to 4% of global turnover.
Reason 3: We just trade in the UK so
we’re OK, right? Maybe not…
With over 3 million EU citizens resident in
the UK – and at least 2 million of these in
employment – the chances are that your
business might have data relating to EU
citizens.
The GDPR is primarily concerned with
processing personal information about
individuals who reside in the EU (although
the EU Parliament also seems to consider
Peter Galdies, Development Director at DQM GRC, gives six reasons why
UK businesses must still heed the General Data Protection Regulation (GDPR).
Why the GDPR is
here to stay – probably
as such. In fact, it’s an issue that many
could openly support and encourage as an
‘easy win’, which would provide increased
compatibility and security for UK-EU trade
and improved protection for both groups
of citizens.
Reason 6: It needs doing anyway. It’s
the right thing to do.
Most of the UK’s existing data protection
legislation was written before the
widespread adoption of the internet and the
globalisation of trade – and the collection
of vast amounts of new data about data
subjects that followed. Internet-based
social media services, such as Facebook and
Twitter, didn’t exist and currently enforced
laws on data protection were not created to
accommodate them.
It’s now easier than at any time before to
build and infer much about individuals from
the data they generate, often unknowingly,
in their day-to-day activities. We are all
entitled to a free and private life, so we need
laws that help protect us – and the legal
framework prior to GDPR doesn’t cut it.
The GDPR, while far from perfect,
does offer an improved model for data
protection, and it is (perhaps arguably)
right and pragmatic for the UK to adopt
similar legislation.
Conclusion
So, while it’s true that we are going to be
living in uncertain times for a few years, it
is likely that privacy will still be high on the
agenda. When the next high profile data
breach or misuse happens (think TalkTalk),
the public reaction is likely be the same
regardless of Brexit. Ultimately, the pressure
for organisations to retain and build trust
will remain – as will the pressure on
regulators to govern.
Although the adoption of the GDPR as
mirroring UK legislation is highly likely, we
should also be aware that Brexit will leave
the UK ‘on the outside’ for the development
of future privacy legislation that, in practice,
may well apply to UK-based organisations.
The review of the EU E-Privacy Directive has
now started and this is likely to affect how
UK businesses can use data and e-mail,
social media and other communications
to reach EU citizens. It remains to be seen
if we have influence over this in the next
couple of years. Even if we do, our voice will
be less powerful than before.
It’s now easier
than at any
time before to
build and infer
much about
individuals
from the
data they
generate, often
unknowingly
residence irrelevant), offering goods and
services to these individuals or monitoring
their behaviour. However, who determines
whether someone is a resident or not?
Does a 2-month holiday in London by an
EU citizen mean that they are a non-
resident? Does the individual need to be
granted residency status within the UK to
be excluded from the terms of the GDPR?
Reason 4: The Information
Commission thinks so…
According to a statement on the 26th June
from the ICO: “If the UK is not part of the
EU, then upcoming EU reforms to data
protection law would not directly apply
to the UK. But if the UK wants to trade
with the Single Market on equal terms, we
would have to prove 'adequacy'. In other
words, UK data protection standards would
have to be equivalent to the EU's General
Data Protection Regulation framework
starting in 2018.
“Having clear laws with safeguards in
place is more important than ever given
the growing digital economy, and we will
be speaking to government to present our
view that reform of the UK law remains
necessary.”
This statement implies that our new
Information Commissioner (Elizabeth
Denham, who has a proven history of
backing and enforcing consumer rights
while encouraging transparency within
business) is likely to encourage legislation
that mirrors the requirements of the GDPR.
It’s also worth noting that UK privacy
professionals were key in shaping this
legislation in the first place – and that
the view of what constitutes good privacy
doesn’t change simply because we chose
to exit the European Union.
Reason 5: Trade negotiations…
an easy win.
Over the next few years, the pressure to
negotiate a strong trade deal with the
EU will drive the adoption of supporting
‘mirror’ legislation designed to minimise
barriers to continued trade. Some measures
(such as open borders) will be highly
contentious. However, it is unlikely that
improved privacy protection would be seen
Peter Galdies
