With the result of the June referendum, the status of the forthcoming General Data Protection Regulation (GDPR) may seem to be in doubt. If you’re hosting your application data, or customer and marketing data, understanding how and when regulations are likely to change is an essential compliance issue that needs clarification.
What is the General Data Privacy Regulation?
The GDPR is a new EU regulation that will come into force in 2018. It applies to:
- Organisations inside the EU
- Organisations outside the EU handling data from EU residents
Its aim is to provide a single set of rules for all EU member states that will allow the states to support each other in investigating complaints. The major changes to existing legislation in terms of personal rights are:
- Consent to data collection and storage must be explicit and can be withdrawn at any time
- The ‘right to erasure’
- Greater transparency on data collected and its usage
- Increased subject access rights
- The ‘right to rectify’
In practical terms, the changes mean that marketing and sales leads, as well as users or customers, will have increased rights to know what information you are storing about them, what you are using it for, and to request that it be changed or deleted. It also means that so-called ‘soft’ opt-ins for sales and marketing emails may have to become a thing of the past. Brands will need to review their agreements with cloud hosting providers as well as any SaaS products that they are using.
So how does Brexit affect things?
Honestly, not a great deal. If you’re handling data from EU citizens, you’ll need to be compliant whether or not you are based in the EU.
Even if you only handle UK citizen data, the new regulation will come into force in 2018, which is very likely to be before Brexit is complete. If this is the case, it seems that brands will still need to be compliant during the interim period.
And after that? Well, when the UK does adopt its own legislation, it’s likely to resemble the GDPR more than it does a US PrivacyShield-style approach. In fact, the Financial Times argues that the most likely outcome is that the UK will simply adopt the GDPR as is:
"[GDPR] would empower regulators to dish out fines of up to 4 per cent global turnover to businesses in the event of a security breach. The laws were hammered out over the past four years, with the UK a significant pro-business voice in their making."
The Information Commissioner's Office (ICO) has issued a statement that seems to support this:
"If the UK is not part of the EU, then upcoming EU reforms to data protection law would not directly apply to the UK. But if the UK wants to trade with the Single Market on equal terms we would have to prove 'adequacy' - in other words UK data protection standards would have to be equivalent to the EU's General Data Protection Regulation framework starting in 2018."
How this complex issue will play out remains to be seen, but data protection compliance is an issue that all companies handling data will need to keep on their radar in the coming years. If compliance and accreditation are on your agenda, why not download our 15-step guide to implementing ISO 27001.