In light of recent seismic events in the political sphere, business leaders in the UK could be forgiven for assuming that they no longer need to prepare for the EU’s wide-ranging new data regulations – and in a climate of uncertainty, it might be all too easy to confine one’s thinking to short-term issues. The stark reality, however, is that preparations need to ramp up and businesses need to accept at least one more inevitability besides death and taxes.
The General Data Protection Regulation (GDPR) is designed to provide a harmonisation of data protection regulations throughout the EU. The goal is to strengthen citizens' fundamental rights in the digital age and to facilitate business by simplifying rules for companies previously negotiating numerous and often contradictory data privacy landscapes. It has been estimated that this single law could help to generate cost savings for businesses of around €2.3 billion a year.
At this stage, it is far from clear what form the UK’s future relationship with the EU might take. What is certain, however, is that businesses will need to ensure that their data usage complies either with GDPR itself, or with equivalent UK legislation.
GDPR is set to come into force in May 2018. This means that even if the UK Government were to press ahead with plans for an early exit (currently anticipated in 2020), the regulation would still have a direct application for at least a short period of time.
What’s more, GDPR will continue to have an impact even after any formal separation, as it will apply to any business based outside of the EU wishing to provide goods and services to people within the bloc, or indeed to observe their behaviour. Given the obvious importance of such trade to the UK economy, we can safely assume that the Government will either adopt GDPR or create its own legislation with exactly the same requirements.
What are the practical implications for businesses? There is a great deal of work that needs to be done in order to comply with GDPR’s five key requirements:
- ensuring that all customers know and consent to you having their data;
- reporting any data breaches within a three-day window;
- putting in place processes to delete data on an individual when they request that you do so (the so-called “right to erasure”, replacing the previous and much-publicised “right to be forgotten”);
- safeguarding the right to data portability; and
- keeping accurate records of all transactions associated with any given customer.
Businesses are currently not working hard enough on their preparations, with research at the end of last year indicating that half of large companies were oblivious to the forthcoming changes, and that levels of awareness were even lower amongst tech companies, among the greatest users of data. Penalties for failure to comply with GDPR range from enforced data protection audits by the Information Commissioner’s office until satisfied that levels of compliance are adequate, to fines of €20m or 4% of a company’s total worldwide annual turnover, whichever is greater.
When businesses squared up to the challenge of Y2K as the calendar ticked towards the year 2000, there was a palpable sense of urgency across the globe. Managing corporate information, communications and data systems potentially exposed by a computer program that interpreted dates inclusively between 1900 and 1999 instead of between 2000 and 2099 was a top business priority.
A similar sense of urgency should now be adopted by businesses in the UK and beyond in order to avoid falling foul of severe penalties. Whatever the future holds, like it or not: GDPR – or legislation that closely resembles it in the brave new Britain – is on the way.
The article above appeared in Economia on July 27th.