Let’s say you are responsible for cyber security in your organisation, and it’s a UK-registered company.
You’ll no doubt have heard about the new data protection rules, which are allegedly tougher than the current UK Data Protection Act 1998. The latest data rules, known as the General Data Protection Regulation (GDPR), were agreed in Brussels in December 2015 and become enforceable in 2018.
You are aware of obligations on your organisation to fulfil a range of individual rights.
You will have an obligation to perform data erasure in response to individuals’ exercise of their “right to be forgotten” – that is, the right to withdraw their consent to your storing or using their personal data and to request their data be deleted.
Then there is the obligation to ensure that any personal data you hold has been collected after obtaining consent that was explicit, rather than implied.
The data must be freely given, rather than under the duress of not being able to access your services. It must also be requested in clear and plain language and asked for in a distinctive “standalone” fashion.
You will also have an obligation to allow individuals to see their own data, to release a copy of any data you hold about them in a commonly readable format, so they can exercise the right to data portability – meaning they can transfer personal data from one service provider to another.
You will have to notify the relevant data protection authorities within 72 hours – in the UK it’s the Information Commissioner’s Office – about serious data breaches and any affected individuals if the breach affects their fundamental rights.
Once you think about how wide-ranging the demands of this regulation are on the processes and data architectures of the IT function, you will probably start negotiating with the CFO or the CEO for a budget to resource the GDPR-compliance programme.
Just as you feel you are making good progress – and faring much better than the 44% of IT professionals in a recent poll indicating they were unaware or only vaguely aware of the new rules – you are hit with this line: “We don’t know if we’ll be in the EU [European Union] for much longer. Let’s wait for the referendum results”.
Read more about EU data protection rules
- The EU’s data protection rules will affect every entity that holds or uses European personal data both inside and outside of Europe, according to legal experts.
- More than two-thirds of global firms expect EU data protection laws to dramatically increase costs of doing business in Europe.
- With the European Commission's data protection rules set to drop before 2016, take a look at what the changes mean for the cloud and datacentre community.
Or perhaps this excuse: “We don’t have operations, subcontractors or subsidiaries in the EU. In the event of Brexit, we won’t have anything to do with EU data protection. All our data is held on servers in the UK. We’ll cross that bridge when we get there”
If so, stick to your guns – GDPR is going to affect UK businesses offering any type of service to the EU market, regardless of whether your business stores or processes data on EU soil, and whether the UK stays in the EU or not.
Whose data is it anyway?
On the first count, you may need to explain to your marketing or product development colleagues that what triggers the applicability of the GDPR is whether the data you handle is about EU individuals or has the potential to identify individuals that find themselves in the EU – not about whether your company is in the EU.
If your colleagues who do most of the data collection don’t appreciate it’s who the data is about, not where the data lives that matters for the GDPR, you may end up spending a lot of your cyber security budget to defend data that should not have been collected.
You may also find data held by your organisation in breach of the GDPR, which cannot be utilised on any big data initiative after 2018. This makes your organisation liable to fines of up to 4% of your global turnover.
Indecisiveness at board level – exacerbated because of the genuinely held, but legally unwarranted, assumption that EU data protection rules need not be applied if the UK leaves the union – is harder to overcome. If you wait for the referendum results, you leave your organisation an unmanageably short timescale for implementation – less than 18 months.
Therefore, it pays to become familiar with some of the relevant legal arguments and escalate these to the board.
Even in the event of a Brexit, UK businesses offering services to EU citizens – regardless of whether they hold any data in the EU – will have to adopt more stringent rules than the ones currently imposed by the UK Data Protection Act. Otherwise trade – via personal data flows – with Europe is off the table.
Chiara Rustici is a London-based independent GDPR analyst. She offers further practical advice on how best to prepare for the new regulations here.