Britain may no longer be part of the EU by 2018 but that will not exonerate businesses from having to comply with onerous new data-privacy laws when dealing with consumers and businesses in EU member countries.
According to a survey conducted by KPMG of 100 UK CEO’s, nearly 60% believe that a new EU General Data Protection Regulation (GDPR) set to be introduced in May 2018 will hinder their ability to do business with EU clients post-Brexit, if the UK does not move to align its own regulations with those ratified by the European Commission in April this year.
The new regulations will affect all organisations in the UK and worldwide dealing with EU member countries. Failure to comply with the regulations could result in businesses facing sanctions of either fines of €20 million euros, or 4% of their global annual turnover, whichever is the greater, according to KPMG.
“The worry amongst this cohort of CEOs is understandable”, says Mark Thompson, Global Privacy Advisory Lead at KPMG; “once GDPR is enforced it will fundamentally alter the way we live, work and interact with technology, organisations and each other. This revolution will transform the scale, scope and complexity of personal information processed, with personal information being a core component of everything we do.”
He goes on to suggest that “Statements issued by the UK Government suggest that the UK will adopt the GDPR while it negotiates its exit from the EU. What remains to be seen is whether the GDPR is subsequently repealed and replaced with something else.”
The UK privacy regulator and Information Commissioner’s Office “remains adamant that the UK will adopt the GDPR while it negotiates its exit from the EU”, Thompson believes, therefore “it seems likely that a GDPR equivalent privacy framework will be here to stay and organisations should prepare accordingly.”
One of the fundamental issues with Britain’s withdrawal from the EU would appear to be the fact that it hardly exonerates UK companies from complying with EU law so long as the country’s businesses continue to do business in the EU, which of course they will, whilst also expecting organisations to adhere to another of domestic rules, whatever these may be.
This will mean that companies may well end up being forced to comply with two, or even three different sets of regulations governing data privacy – the domestic market, the EU and the rest of the world.
“The requirements being introduced by the GDPR are going to require most organisations to make significant enhancements to their privacy control environment and rethink the way they collect, store, use and disclose personal information”, says Thompson, adding “These changes are going to be complex and take time; as such, most organisations cannot afford to wait and see what form Brexit takes.”
Thompson outlines 3 steps businesses can take now in order not to find them exposed when the new EU regulations take effect.
Firstly, businesses should “raise awareness at the board level – this should result in the funding being made available to undertake a privacy improvement programme.”
Secondly, businesses should try to understand the current state of privacy regulations and set their desired state. This can be done, KPMG suggests, through conducting GAP analysis against the GDPR to understand where their organisations may be exposed to risk, and determine what the risk appetite is.
And finally, planning and implementation should be introduced to “enable the desired risk appetite to be reached and undertake a privacy improvement programme to deliver against this plan”.
When the GDPR is introduced, the legislation will replace a European Union Directive data protection directive which dates back to 1998.
Unlike the existing directive, the new GDPR will apply to countries outside of the EU, if the data of EU residents is processed. The European Commission defines personal data as “any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a photo, an email address bank details, posts on social networking websites, medical information, or a computer’s IP address.”
Each EU member state will be required to establish their own independent Supervisory Authority to hear and investigate complaints, and sanction administrative offences.
The European Commission website states that “more than 90% of Europeans say they want the same data protection rights across the EU – and regardless of where their data is processed”, and that a single law “will do away with the current fragmentation and costly administrative burdens, leading to savings of around €2.3 billion a year.
These savings are unlikely to be felt in the UK, however – quite the opposite in fact. The British government’s Data Protection Act also dates from 1998, and consists of 8 basic principles.
There is nothing basic about the administrative headache that Brexit will create for UK based business owners however.
Prime Minister Theresa May, the architect of the unpopular “Snooper’s Charter”, was recently quoted by Wired magazine as saying; “”I don’t think Brexit should mean Brexit when it comes to standards of data protection – in order for British businesses to share information and provide services for EU consumers, the law has to be equivalent.”
“EU law will be transposed into domestic law, wherever practical, on exit day,” David Davis, Secretary of State for Exiting the EU, said during a party conference speech. “It will be for elected politicians here to make the changes to reflect the outcome of our negotiation and our exit. That is what people voted for: power and authority residing once again with the sovereign institutions of our own country.”
And some hefty fines, too, for anybody unable to work out who they are answerable to. Perhaps the easiest way to answer that question is to assume “pretty much everyone.”