Since 1998, we have relied on the Data Protection Act (DPA) to provide us with a regulatory framework for protecting personal data. It has been effective to some extent, however, I think it is fair to say that an upgrade is long overdue. After all, so much has changed in the last 20 years. There are many more businesses processing personal data, technology has evolved beyond recognition, and cyber-attacks are becoming increasingly more frequent and sophisticated.
As of May 25 2018, the General Data Protection Regulation (GDPR) will come into effect. The GDPR is a legal framework designed to strengthen and harmonise data protection for EU citizens, as well as provide legislation about the way personal data is treated outside of the EU.
What does this mean for Britain?
Britain is on course to officially leave the European Union before March 29 2019 – approximately 1 year after the GDPR comes into effect. Therefore, we will still be required to comply with the GDPR, for some time at least. But what happens after March 2019? Well, it’s hard to say. Those who were opposed to Britain leaving the EU have called for a “soft Brexit”. A soft Brexit would see Britain having a similar deal to that of Norway, Iceland, and Liechtenstein. It would also mean that we would be a member of the European Economic Area (EEA). It’s worth noting that the GDPR applies to all members of the EEA. Therefore, in the event of a soft Brexit, we would be required to comply with the GDPR indefinitely.
Regardless of whether you agree or disagree with Britain leaving the EU, a soft Brexit would likely anger a significant portion of the UK population. As such, a soft Brexit may be unlikely to happen. In the event of a “hard Brexit” – or just “Brexit” as the case may be – Britain would be able to repeal the GDPR, and devise its own data protection laws. The Information Commissioner’s Office (ICO) has stated that whatever happens after Brexit, our data protection laws will be updated and the new laws will be “stringent”. One way or another, organisations will need to ensure that they are able to protect and respect the personal data which they hold.
If any organization located outside the European Union deals with the data of EU citizens, it has to comply with the GDPR. So, organizations located in Britain will still have to comply with GDPR even in the case of a hard Brexit (if they handle the data of EU citizens).
What would be best approach to complying with the GDPR?
The GDPR will introduce a number of important changes to the current data protection laws. These include: increased territorial scope, harsher penalties, stricter consent laws, extended data subject rights, “privacy by design” requirements and breach notifications. Additionally, under the GDPR, organisations who process large amounts of personal data will be required to appoint a Data Protection Officer (DPO). Since a lengthy explanation about GDPR compliance is beyond the scope of this piece, I would like to raise awareness to one, very important consideration.
In order to comply with the GDPR, organisations will need to know exactly where their sensitive data is located, what changes are being made to this data, who is making those changes, why the changes are being made and when. Organisations will also be required to provide a detailed set of reports that prove they are able to answer the above questions. To answer those questions in a timely and efficient manner, organisations must have some sort of automated solution in place. For example, LepideAuditor provides a sophisticated group of auditing solutions which enable organisations to track, report and alert on critical changes to their systems. Without such solutions in place, complying with the GDPR, or any other important data protection regulation, will likely be a tremendous task.
Whether the UK experiences a soft Brexit, remains a member of the EEA or cuts off all ties with the EU, organisations that store and handle EU data will still have to be compliant with GDPR. The future of the UK is uncertain, but it’s always better to be safe than sorry. Get prepared for GDPR now, especially if your organisations handles the sensitive personal data of citizens in the EU.