Publication of the long awaited General Data Protection Regulation (GDPR) of the EU regulation is expected sometime this month but following the Referendum and the UK’s decision to Brexit will it still be imposed on UK companies asks Colin Tankard, Managing Director of data security company Digital Pathways.
It was understood that, once published, there would be a two-year period for every organisation that does business in, or with, the EU to comply with the regulation. And, since it is a regulation, not a directive, compliance would be mandatory, without the need for each member state to ratify it into its own legislation.
The GDPR expanded the scope of data protection so that anyone, or any organisation, that collects and processes information related to EU citizens must comply with it, no matter where they are based or the data stored. Cloud storage was no exception.
The definition of personal data is also expanded. It states that personal data includes information from which a person could be identified, either directly or indirectly. Under the new definition, identifiers such as IP addresses and cookies are included as personal information.
The GDPR introduces mandatory breach notification unless the breach is unlikely to result in a risk to the rights and freedoms of the data subjects concerned.
However, Tankard thinks that, following Brexit, the UK may not adopt this regulation but, instead, modify its existing UK Data Protection Act to make it more like the GDPR so as not to be seen taking an EU law as is.
He says, ‘This poses an interesting question and one we will need to follow closely given the original timeframe for adoption.
‘Another question is about data protection adequacy. In order to be able to collect and process data on EU citizens, the UK must be able to prove that the measures it has in place are adequate, which was the reason behind Safe Harbour in the United States.
‘Given the current mood in Europe, I don’t see the integration of the GDPR as being an automatic given. It is interesting that the UK has already objected to certain parts of the GDPR, such as the need for many organisations to employ a dedicated data protection officer. Something as seemingly trivial as that could have grave consequences.
‘Hopefully, there will be clarity on the issue in due course and, in the meantime, we will continue to monitor the GDPR closely.’