Who / What Does GDPR Apply To?
The General Data Protection Regulation (GDPR) will apply to all UK (and worldwide) companies that store, process and use the data of EU citizens. The UK was very involved in the drafting of the regulation which was designed to make companies take the issue of data protection more seriously and to strengthen the rights that EU citizens have over their data.
What About Brexit?
GDPR will still come into force long before Brexit matters are concluded, and since it applies to companies that deal with the data of EU citizens, it (or something very similar) will apply after Brexit. UK Information Commissioner, Elizabeth Denham has said that she supports the UK adopting the EU regulation even post-Brexit because if the UK is to continue doing business with Europe, British businesses will need to share information and provide services for EU customers. It should (according to Ms Denham) therefore follow that the UK data protection law should be equivalent.
Up until now, the introduction of GDPR has made many businesses view it as more than a threat than an opportunity because:
- There is perceived complexity in compliance. For example, a Compuware survey has shown that 75% of organisations said the complexity of modern IT services means that it is not always clear where customer data actually resides, and many organisations don’t believe they can locate individual customer data quickly enough (which could lead to penalties). Companies will also need to analyse carefully what data they are collecting and how they are using it
- There are perceived challenges in ensuring data quality to achieve compliance.
- Much has been made in the news about the size of the penalties for non-compliance e.g. PCI Security Standards Council threats that that under GDPR, groups of companies could face fines of up to €20m or 4% of annual worldwide turnover, whichever is greatest for data breaches (fines could exceed the current £500,000 mark).
- There are perceived extra costs e.g. from implementing new systems and procedures, and from potentially having to a hire an in-house data security specialist manger.
- There is no clear perception of the scale of the effort needed to comply (the effort and planning needed), or how far to go with compliance to satisfy regulators.
Security commentators have pointed out that larger companies and those which store and use large amounts of data e.g. companies in the finance, health and retail sectors, are most likely to have started early (out of perceived necessity) in planning for GDPR. It is likely that companies that have been more proactive and have started early in their preparations, and / or have focused on privacy before, and have a framework in place that defines roles and responsibilities, will have an advantage when GDPR comes into force.
Some security experts have highlighted the fact that the preparation for, and the focusing on compliance with GDPR could, in fact, be an opportunity because:
- It will motivate companies to face and tackle data security challenges that they may have been putting off or ignoring i.e. finally getting their house in order.
- Using data in a transparent, privacy-friendly way could be seen as a competitive advantage by customers in the future, thus allowing companies to grow their customer base, collect more data and monetise it more, and build their brand through trust.
- Adopting good data handling practices could help companies to avoid damage to brand reputation through doing something consumers would not want to happen to their data.
- Spending more on data protection compliance and doing a better job of protecting data in the company could improve the cyber security posture of the company too.
What Does This Mean For Your Business?
Not only is compliance with GDPR (or its very similar successor) necessary, but it could actually make sound commercial sense, through providing competitive advantages (because data security is valued by customers), and could have knock-on effects to the cyber resilience of companies.
Companies that have been proactive and moved quickly on this issue could therefore be the ones most likely to minimise the threat of penalties (the law profession is already geared-up to respond to customer complaints), and gain advantages in a marketplace.