Despite the result of Brexit, the government is still very focused on the introduction of the EU’s General Data Protection Regulation (GDPR). This shows how committed the UK are to improving privacy regulations.
The GDPR comes into play across the EU from the 25th May 2018. At this time, the UK is still expected to be in the leaving process. This raises questions on what happens when the UK officially leaves the EU. The government has addressed this situation, suggesting that the GDPR will be codified into UK law via the Repeal Bill.
While the GDPR will be welcomed by privacy professionals, other organisations may require much more effort to meet the higher compliance standards set by the new law. Following these obligations is in your best interest though, as infringement of the laws could result in huge fines of upto €20 million (approximately £17.7 million) or 4 per cent of the previous year’s total worldwide turnover.
When establishing GDPR compliance programmes, the four key areas below should be followed.
- Increased scope – The scope of the data protection law broadens with the GDPR. For those who process personal data on behalf of other companies will now be directly liable for their data processing activities. Not only that but the extraterritorial reach with the GDPR is also extended. Now, no matter where in the world they are located, any organisation either offering services or goods to people in the EU or monitoring their behaviour will fall under the jurisdiction of the GDPR.
- Accountability – The requirement for organisations to register where they process personal data with the data protection authorities of all EU member states has been abolished with the GDPR. Replacing this is a regime that places the duty on the organisation to ensure that they can demonstrate they have the procedures, safeguards and internal policies to ensure the protection of personal data. Inventories of processing activities will play an important role in monitoring organisations compliance.
- Data protection by design and default – Instead of just being seen as a best practise recommendation, data protection rights will now have to be considered from the very start of the development of applications, services and products. Technical and organisational measures will need to be implicated by data controllers to ensure data protection compliance. These measures could range from corporate communications highlighting the boards commitment to data protection to the pseudonymusation and encryption of personal data. A data officer may need to be appointed to help establish the appropriate level of safeguards to implement.
- Individuals enhanced rights – Organisations will have to adapt their information systems to comply with the enhanced requirements of the GDPR. Individuals have a range of rights that can be exercised in relation to their personal data, such as being able to access it whenever they require and having certain data (inaccurate or unlawful) rectified or erased. They will also have the right to data portability, which relates to information provided by the individual to the data controller, where processing is undertaken with consent or under contract. This is likely to affect online stores, social networks, and service providers as it is designed to reflect developments in information technologies. If the individual exercises this right, the information will have to be provided to them in a structured, commonly-used and machine-readable format.
Multinational post-Brexit complications – It is still unclear how the impact of Brexit on European data protection landscape will turn out despite the UK’s commitment to implement the GDPR. The Information Commissioner still intends to work closely with her EU colleagues, but this ultimately comes down to the EU’s decision. The UK will no longer have representation on the European Data Protection Board, and will cease participating in the EU-wide one-stop-shop regulatory framework – this is almost certain.
If the UK is not deemed to offer an adequate level of data protection safeguards by the EU, then unrestricted personal data flows between the EU and UK will be a thing of the past.