If GDPR compliance is not near the top of IT leaders’ priorities for 2017, you have a problem.
GDPR – the European Union’s General Data Protection Regulation – was always going to be a major challenge, given that it widens the scope of issues that organisations need to consider when planning their data strategy.
GDPR introduces mandatory data breach notification for the first time; it brings higher penalties for non-conformance; strengthens citizens’ rights and the rules around obtaining consent to gather and exploit personal data; and it stresses the importance of self-assessment in managing data.
The law comes into force on 25 May 2018 – now less than 14 months away. If you’re in the UK and were hoping that Brexit means you don’t need to worry – think again.
For a start, the UK will still be in the EU by the deadline, so it will be law in the UK too. GDPR is not only for organisations located within the EU area – it covers the use of personal data about EU citizens by anyone, anywhere in the world. If your organisation stores information about an EU citizen, you need to comply, regardless of local laws, or you risk being prevented from trading with the EU.
Moreover, despite all the uncertainty about Brexit, the UK government has quietly confirmed that it intends to introduce new data protection legislation that exactly mirrors GDPR, even after we leave the EU.
The move, announced by digital economy minister Matt Hancock this week, will go some way to alleviating concerns about cross-border data flows post-Brexit. Public debate about the future relationship between the EU and UK concentrates on exports, customs, immigration and trade – glossing over the fact that perhaps the most important exchange that will need to continue is data.
Data, essentially, is what the City moves – not bank notes. Online shopping – it’s all reliant on data, especially when you consider that buying from Amazon, to quote just one example, means trading with a company in Luxembourg. Every UK tech startup or internet business that gathers identifiable data about its visitors needs access to data that flows freely across international borders.
Trade in data is central to the future of the recently announced UK industrial strategy that highlights the importance of science, technology and innovation to economic growth outside of the EU.
For IT leaders, GDPR compliance is going to be essential, but a burden. There’s a lot of work to be done. If you haven’t started already – get moving.