Data privacy laws in the EU are about to get a facelift next month with the introduction of the general data protection regulation. 2018 will also see more moves being made to ensure a smooth exit for the UK following the Brexit vote - but how exactly do the two events relate?
Somewhat worryingly, recent research has found that over one in four UK businesses (26%), state they are less clear about what they need to do to be compliant with the new regulations since Brexit, or if they even need to be compliant at all. With time almost up to finish preparations before the new law comes into effect, a large number of businesses could find themselves risking large fines if they fail to follow its legislation fully and by its 25 May start date.
So, what exactly does Brexit mean for GDPR, and what does it mean for your business?
The GDPR was first announced in 2016, and will come into effect in the UK on 25 May 2018. It was created with the aim of offering more data protection to EU citizens, whilst unifying data privacy laws within its member states. The new regulations will build on current regulations, particularly those relating to consent, and also impose larger fines for companies that don't comply.
A survey by Crown Records Management found that 24% of businesses have cancelled their preparations to comply with GDPR since Brexit, and nearly 50% don't think the law is now applicable to UK companies.
This just isn't true. The UK is still part of the EU, with the final exit date being estimated at 29 March 2019. What's more, the new rules will apply to organisations that process personal data regardless of whether a payment has taken place, including organisations that use data for monitoring of individuals.
The main data protection regulation that currently stands in the EU is the Data Protection Directive, introduced in 1995, which was set in UK law in 1998 by the Data Protection Act. Digital technology has obviously seen huge change and advancement since then, and as a result, consumers have become more concerned with how their information is collected and used; a recent survey found that 67% of European citizens are worried about having no control over the data they provide online.
Clearly, it's time for an update, and this is where the new law comes in, with hopes of giving citizens more control over their personal data and making sure organisations follow the right steps to ensuring it's not vulnerable. A report from Deloitte on the subject found that consumers are much more confident when businesses tell them how their information is being used - as the image below demonstrates.
The GDPR law is more an extension of the current regulations as opposed to a complete overhaul, but there are some big changes that are likely to have a profound impact on organisations that need to comply with them. The main changes are:
One of the most important things to note is the change in how personal data will be defined. While the definition under the DPD referred to someone's name, photo, contact details such as phone number and email address, and any type of number used to identify them (e.g. National Insurance number), the GDPR will also include things such as IP address, social media posts, biometric data (e.g. fingerprints), and cookies.
This change is important because it offers more protection for citizens, but there's no doubt that it makes things more difficult when it comes to marketing. Monitoring customers and leads by their browser history etc, or cold calling or emailing, for example, will no longer be permitted thanks to GDPR principles.
Another key principle contained in the new directive is the level of power given back to citizens through stricter rules for data collection and use. Opt-ins will now be required before processing any personal information, and these must be clear, easy to understand and set out exactly how the information will be used.
Unlike under the DPD, individuals will now be able to request access to the information an organisation is holding about them, and for what purpose it's being used. It's then the responsibility of the data controller to give them a digital copy of the data completely free. Individuals can also ask to 'be forgotten', in which case the company must delete all of the data they currently hold on them.
While it was solely the responsibility of data controllers to ensure compliance with DPD, the terms in GDPR state that processors must have a contract with controllers in order to process personal information.
Under the official guidelines, a data processor is someone who acts as:
‘the natural legal person, public authority, agency or other body, which processes data on behalf of the controller.’
It is up to the data controller to appoint a reputable processor and to ensure that they are GDPR-compliant.
DPD legislation allowed each member state to set their own laws for personal data breaches, whereas GDPR will be just one principle to adhere to, making it much easier to remain compliant. This law states that companies must report the breach within 72 hours, with a requirement to also notify the data subject in the case of more serious infringements that could cost them financially or damage their reputation.
Source: IT Governance
The penalties for breaches have changed, too. While a maximum fine of £500,000 could be imposed under the previous legislation, the GDPR has a two-tier system with potentially much larger sums:
1) Up to €10 million, or 2% annual global turnover – whichever is highest.
2) Up to €20 million, or 4% annual global turnover – whichever is highest.
The fines are likely to be the last resort, and will be proportionate to the level of the breach committed, but will act as a stark reminder for companies of the importance of ensuring complete compliance.
After leaving the European Union, the UK will automatically become a 'third country', and will no longer have to comply with EU laws. However, when it comes to the general data protection regulation, Brexit will definitely not mean that UK companies no longer need to worry about adhering to the new rules. In fact, if any of the following apply to your business, you still need to comply...
You sell products or services within EU countries - If your business deals with individuals in any EU member state, GDPR applies to you.
You monitor individuals in EU countries - GDPR rules state that no transaction has to have taken place; if you’re collecting personal information on EU citizens, regardless of its purpose, you’ll need to comply.
You use data for EU citizens within the UK - The rules apply to individuals from the EU who are currently residing elsewhere, and with thousands of EU citizens based in the UK there’s a good chance your business will be affected.
Even if none of the above is relevant to you, the fact remains that the UK will still be part of the EU until at least March 2019, so you still need to comply in the meantime.
Although the situation after Brexit is a little less clear, the UK government has shown strong incentive to keep the GDPR framework, in order to update the now somewhat outdated data protection laws. The Queen's 2017 speech to parliament mentioned the need for a 'new law' on data privacy and 'proposals for a new digital charter', and the government has stated that 'the same rules and laws will apply on the day after exit as on the day before', strongly hinting that the GDPR principles will be adopted here.
What exactly do the GDPR principles mean for your business, and what steps do you need to take to prepare?
The Adequacy Decision - The European Commission (EC), can decide whether or not a third country (which the UK will be), has adequate data protection rules in place (article 45). If they say yes, it means personal data can be transferred internationally without the need for prior authorisation.
Binding Corporate Rules - Your business can use BCRs to transfer information internally, provided the ICO gives their approval first. BCRs have to have privacy principles, effectiveness tools e.g. proper training, and a way of proving that the rules are binding.
Personal Data Review - One of the first things you'll need to do is carry out a complete audit of the personal data your company holds, including that of staff members. You'll need to determine exactly how it was gathered, when it was gathered and the purpose behind it.
Team Training - In order to ensure that your company is fully compliant it's vital that your staff have a good understanding of the new legislation and their individual responsibilities. Remaining compliant will be an ongoing process, so it's incredibly important that everyone has the skills and knowledge required to avoid personal data breaches.
While using data belonging to individuals in the EU for marketing purposes will undoubtedly be made harder under the GDPR, businesses wishing to utilise insights on other companies can still do so freely and be compliant to the new regulations. In fact, the process is now easier than ever before since business intelligence platform Global Database opened its UK data, providing a variety of incredibly valuable insights on companies across all industries.
You can perform a quick and easy search for any of the 4 million UK companies listed in the database, with each record providing details such as profit and loss accounts, cash flow, number of employees, years in operation, structure and ownership, technologies used, website traffic, and more.
These insights can be used for a variety of functions, for example targeted marketing, lead qualification, and due diligence checks to name just a few.
While a frighteningly significant number of UK businesses still believe that Brexit negates them from having to comply with GDPR, the reality is very different. Regardless of whether or not your business sells products within the EU, you'll still need to comply before the UK leaves the European Union, and with the UK's own data protection laws likely to be very similar, it makes sense to take steps to become fully compliant now and for the future.
To gain instant access to data on any UK company completely free of charge, visit us at www.GlobalDatabase.com