First published September 2016
As the UK public voted to leave the European Union, a collective sigh of relief must have rung out across the nation from businesses who, in their mind, believed that the General Data Protection Regulation and its associated laws could now be cast aside, never to be mentioned about again.
Unfortunately for some, this is not entirely true. In fact, while the UK has voted to leave the European Union, many companies will still be constrained by the law. In short, if your business trades with European member states and possesses information on EU citizens, you will be affected.
Still confused or unsure about whether your organisation needs to comply with the new data protection and cyber security laws coming into effect in 2018? Read on to find out everything you need to know.
The reason why most companies are so uncertain about how Brexit will affect compliance with the GDPR comes down to timing.
The government’s choice to delay the activation of Article 50 of the Lisbon Treaty until 2017 is significant as it means the UK will almost certainly experience life under the GDPR. The only eventuality where this does not happen is if withdrawal arrangements are negotiated and unanimously agreed upon before the regulation comes into effect on Friday 25th May 2018. However, this is unlikely to happen.
Here lies one of the most common misconceptions associated with the GDPR and Brexit. Many organisations believe that the UK’s exit from the European Union means that they will not have to prepare for change as the regulation will only affect the remaining 27 EU member states. This is simply not the case.
If your organisation is not familiar with the intricacies of the GDPR (just like 44% of IT professionals indicated in a recent poll by Computer Weekly), the companies most likely to be affected are those that offer goods or services to EU citizens, as well as collect, control, handle or process data on individuals residing in a European member state.
So regardless of whether the UK is in the European Union or not, if you are a company that performs any of the aforementioned actions in relation to an EU resident, you will need to abide by the laws governed by the GDPR. Territories such as the United States, India, Australia and China will all be affected in the same way.
The most common problem faced by the majority of UK-based organisations is that they already possess personal data from individuals living in the remaining 27 EU member states (including UK citizens living in the EU).
If those responsible for data collection at your business do not fully understand the new guidelines and utilise this data in an unlawful manner, the consequences may be devastating.
If this is a situation that your business finds itself in, compliance with the GDPR is imperative otherwise you may experience the following:
If your business trades with or processes the personal data of EU residents, you will still be bound by the new regulation’s provisions. There are only a few requirements that may no longer apply – for example, the necessity of a Data Protection Officer.
If your business does not directly trade or collect data from individuals in the EU, you should still review your data protection processes.
The GDPR has been put in place to highlight data protection best practice. Therefore, the best advice for companies is to embrace this new framework, as it is likely the UK will soon have its own data protection regulation that utilises similar principles.
Leaving the European Union will not make a significant difference to the majority of UK businesses with regards to the GDPR. If your company already has a framework in place that it is using to ensure compliance with the GDPR, it is recommended that this planning and preparation continues.
If you’re unsure about where to start, organisations should look to implement the following:
The GDPR is not something that should be considered an inconvenience. It has been created so that companies are better able to cater to the needs of their customers, whilst formulating universal best practice protocols to aid information management policies, procedures, and technologies. This will minimise possible data loss incidents, as well as data breaches.
Is your business ready for the General Data Protection Regulation? Take our survey and find out.