Some argue that regardless of whether or not Britain stays in the EU, the newest data protection guidelines will still affect all UK businesses.
The General Data Protection Regulation (GDPR) becomes enforceable on May 25, 2018 after four years of negotiations, resulting in the finalized text in December 2015. The GDPR includes stricter rules than the current UK Data Protection Act of 1998 and intends to reform the EU Data Protection Directive, according to ComputerWeekly.com.
Those rules include:
- An obligation to delete an individual’s data based on their “right to be forgotten;” their right to withdraw consent to storing/using personal data
- Companies must give individuals access to their data and provide a copy of any data held by them in order to allow individuals to transfer their personal data from one service provider to another.
- Companies must explicitly ask for consent to collect and hold personal data. And that data must be given freely, not asked for in exchange for using a company’s services.
- Plus, organizations must notify data protection authorities within 72 hours after they learn of a serious data breach, as well as notify any affected users/customers.
There are some major financial penalties for noncompliance with these rules, including up to €20m or 4% of annual worldwide turnover for groups of companies, whichever is greater, according to ITGovernance.co.uk.
InfoSec Europe: Data Privacy, EU, GDPR & The Global Connected Enterprise
At InfoSecurity Europe, there was a panel discussion about Brexit and the data protection implications, Regulation, Risk & Privacy: Data Privacy, EU GDPR & the Global, Connected Enterprise.
One panelist, Eduardo Ustaran, partner in the global Privacy and Information Management practice of Hogan Lovells, argued that the UK must follow EU protection laws as it’s the only way to be part of the digital economy in a meaningful way.
Another panelist, Iain Bourne of the Information Commissioner’s Office, suggested that the UK might have its own functioning data protection law, separate from the EU. While not 100% GDPR law, it could still be some form of information rights law.
Nina Barakzai, Group Head of Data Protection & Privacy at Sky, argued that organizations must have the free flow of data across all boundaries to get news to people, pay employees, and service customers lawfully.
The panel also mentioned that the US frameworks don’t provide enough protection for data accessed by government authorities – no matter how safe your cloud is, the US government still has access to that data, according to EU court.
They also brought up the point that the GDPR will allow regulators to go after the contractor or vendor that has a breach or security incident, instead of the organization. This is similar to the US’s HIPAA legislation for the healthcare industry that includes business associates in the scope of who is responsible (and liable to be fined or sued) in the event of a data breach.
Either way, the general consensus is that the UK still needs some form of data protection and privacy laws that will enable them to do business within the EU and beyond.