The UK felt the rumblings of a seismic socioeconomic and political shift this year.
On 23 June, the British public voted – narrowly – for the UK to leave the European Union.
Brexit chaos ensued, the prime minister resigned, the pound fell, and protests and petitions gained traction.
Change is very much on the horizon for British and European citizens and businesses when Theresa May – the new PM – invokes Article 50 of the Lisbon Treaty – the formal procedure for leaving the EU.
Will we have access to the single market? Will we be able to live abroad? Will we be able to recruit the top talent? Will immigrants still be allowed to cross our borders?
There are so many political, economic and social questions to which no one really knows the answers.
One question we can answer, however, is: will UK businesses be expected to comply with the EU General Data Protection Regulation (GDPR)?
The answer is categorically yes, and businesses that do not adhere to GDPR standards will be fine-riddled to the point of collapse.
GDPR is a shake-up of current data protection laws. It is designed to protect personal information in an increasingly digital world. Under GDPR,
the definition of personal data will be expanded to include online identifiers, as well as biometric and genetic information.
The proposed regulation was finally agreed by the European Parliament earlier this year and will come into effect on 25 May 2018. Effectively, the EU GDPR will harmonise those businesses that trade in and out of Europe, by requiring those organisations to ensure an adequate level of protection for the rights and freedoms of individuals in relation to the processing of their personal data, as specified by the regulation itself.
Regardless of whether the UK is in or out of the EU, UK companies are still likely to be subject to the GDPR. GDPR will apply, as Kirsten Whitfield,
director of Gowling WLG’s tech team, says, ‘if personal data from the EU is transferred to a non-European Economic Area country’.
Any organisation holding EU citizen data is bound by the regulation. Indeed, even those companies that are not receiving personal data from an EU country but ‘targeting goods and services at an EU market through personal profile data of EU citizens will still fall under the GDPR’, remarks Whitfield.
There are so many scenarios – even where a business’s IT provider is based – irrespective of future UK legislation, that will dictate whether a company is in breach of the impending GDPR. It is imperative, therefore, to get GDPR-ready, or face the consequences.
Paying the price
The consequence of breaching the GDPR is crippling fines. Any business that does not comply will either have to cease all operations with European countries or incur significant fines. Major breaches for ‘non-compliance’, said Elodie Dowling, VP of the EMEA general counsel for BMC Software, will be ‘punished with a penalty of 4% of global turnover’ or up to €20 million.
Minor breaches, similarly, will be subject to fines of 2% of global turnover from the previous year or €10 million, whichever is the greater.
These fines are designed to hurt, while current sanctions for breaching personal data laws are relatively insignificant for many companies,
comments Nicky Stewart, commercial director at UKCloud.
As the GDPR has yet to take effect, it is difficult to judge the severity of these fines in specific scenarios. What, for example, is the difference between a minor and a major breach? What can be done is to look at the profusion of recent data breaches that companies have suffered, and try to relate these breaches post-GDPR.
Stephen Love, security practice lead for EMEA at Insight, uses the example of TalkTalk’s 2015 data breach: ‘An unknown loss of data was recorded by
the business, and the estimated impact to date is £60 million – this is from loss of business, share price, etc.’
‘If the EU GDPR was in force when this breach occurred, TalkTalk could have been hit by a fine of up to £70 million on top of other breach costs.’
As well as customer dissatisfaction and loss of trust and confidence affecting business revenue, GDPR fines will add insult to injury. These considerably tougher regulations reflect the digital transformation facing global infrastructure.
‘Tougher sanctions, and the greater risk of incurring those sanctions, mean that UK companies will need to put data protection at the top of
their agendas,’ comments Stewart. Increasing use of the cloud and increasing susceptibility to cyber attacks have led to personal data being flitted around the internet insufficiently regulated.
Arguably, retailers and advertisers have exploited this increased connectivity, while cyber criminals have targeted this readily available access to
personal data and profited from it.
The cyber threat
Simply, if a company is hacked and personal data is released or compromised then a fine will be incurred. So organisations must do
absolutely everything in their power to improve cyber security against the ever-increasing cyber threat.
PwC UK suggests that over half of British businesses will suffer cyber attacks by 2018. The need to prioritise a strong cyber defence system is great. This should start at management level, with a greater understanding of cyber threat intelligence (CTI) required. Once the boardroom is up to speed, IT security should be reviewed and overhauled by sourcing enough trained staff to implement CTI effectively.
Above all, suggests a recent SANS Institute survey, it is necessary for organisations to cyber-collaborate. Sharing threat intelligence will help to significantly reduce data breaches and the exposure of sensitive data – 71% of those surveyed thought that this was the case.
>See also: GDPR still stands for UK businesses
Only 40% said they were actively contributing to threat intelligence, with the majority passively consuming the information. It would seem that a
strong policy shift with regard to cyber security is required. This is one change that businesses can adopt in order to have a better chance of avoiding the wrath of the GDPR.
Getting ready for GDPR
Plan, plan and plan again. Organisations have to understand what the regulation means by personal data, and where this data is stored. In the context of the new regulation, according to Gavin Siggers, director of professional services at Iron Mountain, personal data relates to a person who can be directly or indirectly identified on the basis of that data.
Flexibility is key. ‘Just as regulations change and impose new obligations on organisations over time, your retention policies should remain dynamic and responsive, adaptable to evolving business and regulatory landscapes,’ says Siggers.
But a business’s priority, even under the GDPR, should be to utilise this data, not just keep it safe for fear of EU fines. Chris Gabriel, European chief digital officer at Logicalis, shares this view, and believes that there is no point in having potentially damaging personal data if it’s not going to be used.
‘Companies who are preparing for GDPR also need to consider a data value officer to ensure that they’re not simply ticking boxes to keep data safe but are continually challenging themselves to bring value to the data they hold on behalf of their customers.’
It is not a sustainable option to risk noncompliance; nor is it advisable for growth if businesses keep their heads in the sand.
It is fair to say that businesses are between the proverbial rock and hard place. It is ironic that UK companies will have to adhere to the GDPR imposed by the EU but, unlike other European-based businesses, will not have full access to the single market and its benefits.
A natural progression
The UK will still be part of the EU come ‘GDPR Day’ in May 2018, so ‘all affected entities will have already put in place the requisite infrastructures to comply with the GDPR’, says Stewart Room, global head of cyber security and data protection at PwC Legal.
It is happening, with Article 50 set to be invoked by the end of March 2017, despite the protestations of Leave supporters.
Hiring data value officers makes sense in this GDPR scenario, but as Stewart mentions, ‘They are likely to be expensive commodities, given the
laws of supply and demand, which may well be a needless short-term investment should the UK decide at some point to make its own data protection
>See also: GDPR: Out with the old in with the EU
This raises an interesting notion. There will come a time when the UK will adopt its own set of data protection regulations, and these will ‘mirror the standards set by GDPR’, according to Michael Hack, senior VP of EMEA operations at Ipswitch.
Increased connectivity, a by-product of the digital transformation, means that tougher regulations are necessary. The UK’s Data Protection Act 1998 is outdated, and while controlled to high standards, it was not passed with the internet we know today in mind.
Personal data is worryingly accessible, and ethically it is responsible to implement systems like the GDPR. It is very much a natural progression running parallel to the digital transformation.
Businesses will have to adapt, with only the most compliant surviving.