Brexit and the EU GDPR – what does it mean for the UK?
A time-consuming and costly piece of legislation to draft and finalise, the EU General Data Protection Regulation (GDPR) aims to make significant enhancements to data protection within all member states. Yet a little over six months after the final version was announced, the UK Brexit referendum saw 52% of the population vote to leave the EU.
Since then, many have speculated on the future of the EU GDPR in the UK.
Clarity at last
Little was certain in the wake of Brexit, however in the time since, the ICO and other interested parties have worked to provide assurance around the EU GDPR and the future of data protection in the UK. Late last month, Secretary of State Karen Bradley appeared before the Culture, Media and Sports Select Committee to clarify the UK’s position, stating:
“We will be members of the EU in 2018 and therefore it would be expected and quite normal for us to opt into the GDPR and then look later at how best we might be able to help British business with data protection while maintaining high levels of protection for members of the public.”
In response, Information Commissioner Elizabeth Denham renewed the ICO’s commitment to assisting business and public bodies to prepare for the EU GDPR. Additionally, both Denham and her predecessor Sir Christopher Graham have both confirmed that, regardless of the Brexit vote, the UK will remain as leaders in the debate about data protection best practice and the ICO itself will continue to adhere to the highest standards.
What does this mean for UK organisations?
By clarifying their position, Bradley and Denham have given the green light for organisations to continue their preparations for the EU GDPR. This comes at the right time, too – with up to 90% of CIOs surveyed admitting that the legislation will leave them exposed if they continue with current practices, organisations need to start making changes now before the EU GDPR and its penalties come into force.
For example, under the current Data Protection Act, if an organisation is discovered to have suffered a data breach – whether they announce this or it is reported by a third party – they can expect a fine of up to £500,000 from the ICO and widespread media publicity, which can result in loss of client confidence and associated financial implications.
Additionally, only public sector organisations are currently mandated to report data breaches, although all sectors are encouraged to notify the ICO if they experience an incident and can face more lenient penalties if they do so. This has likely led to a certain number of data breaches being only being reported in part or covered up entirely by organisations not legally obliged to report them.
Amongst many changes to the ways organisations handle data, the EU GDPR brings with it two serious implications for organisations who suffer a breach
- Mandatory reporting of data breaches. Any organisation suffering a breach where sensitive information is put at risk will have up to 72 hours to notify authorities – regardless of their sector.
- Financial penalties of up to 4% annual worldwide turnover or €20m. With fines from the ICO only one part of the financial implications caused by a breach (which also includes loss of customer revenue), the total cost of an incident is set to skyrocket. Putting this in context, within 12 months, TalkTalk’s breach from October 2015 had cost the company a reported £60m – with only a £400,000 fine from the ICO.
What can you do to protect your organisation?
The EU GDPR is wide-ranging and, as a result, organisations need to begin addressing data protection using a holistic approach that examines how to protect sensitive information from start to finish. This should include:
- Assess the risks posed to sensitive information by understanding how your organisation processes and handles data. This internal review should cover all procedures at all levels of the business, looking at the times of information that employees create or receive from clients / third parties, who has access to this within your organisation, and the tools used to share sensitive information externally.
- Educate end-users. Not only should this be carried out as a best practice exercise, but it should also directly relate to the results of your internal audits. If you are experiencing a rise in shadow IT or observe sensitive information being shared via plaintext email, then you must work with employees to help them understand the threat this poses and the repercussions that will occur should this lead to a data breach.
- Support employees with smart technology. Organisations also need to acknowledge that today’s increasingly complex IT environments do not lend themselves to a ‘one-size-fits all’ approach, so security solutions need to offer the necessary levels of flexibility, be that email encryption, large file send or secure online collaboration. Greater protection can also be applied by taking decision-making away from individual end-users. Rather than rely on a member of staff to decide when an email or file should be secured, by centralising policy-based control, using the specific content of an email as a basis for security, decision-making is less open to error.
Ultimately, organisations have until May 2018 to improve data security and protect themselves from a breach. With Bradley’s and Denham’s announcements last month, no-one can plead ignorance or lack of time to prepare.
However, organisations should also recognise the opportunity the EU GDPR presents to enhance data security procedures and systems, which in the long run will better protect their businesses, their staff and their customers– or else they will face being forced to sit up and listen if fined up to 4% of their global annual turnover.