By Paul Slater, Executive Director of EMEA, Nuix
In June, United Kingdom citizens voted to end their 43-year membership in the European Union (EU) and its predecessors. While the results of this historic decision will take years to play out, many businesses in the UK already face an interesting question: Do they need to continue working toward complying with the EU’s General Data Protection Regulation (GDPR)?
The UK’s Information Commissioners Office (ICO) said in a statement that the UK’s Data Protection Act “remained the law of the land irrespective of the referendum result,” and that “if the UK is not part of the EU, then upcoming EU reforms to data protection law would not directly apply to the UK.” However, the statement also went on to highlight that: “…if the UK wants to trade with the Single Market on equal terms we would have to prove ‘adequacy’”- in other words UK data protection standards would have to be equivalent to the EU’s GDPR framework.
Many organisations based in the UK will continue to implement the GDPR simply because it’s in their own best interests. This may be because they operate within European territories and must comply with the law to continue doing so; or because they may realise their European partners or customers will not take them seriously if they chose to try and ignore GDPR compliance.
The new laws on GDPR won’t be enforced until at least the first half of 2018 – but this is a relatively short period for businesses to respond, react and deliver on the new regulations.
How can you ensure your business is not left behind? Following these tips can help.
1. Make privacy concerns part of the fabric of your organisation
Implementing privacy by design can demonstrate compliance and create a competitive advantage for your organisation. This translates into embedding privacy early in the process into any new processing or product that you deploy.
It also means establishing transparent privacy policies which are written in clear and unambiguous language, and are easily accessible to everyone within your organisation. These policies should help you prepare for data subjects to exercise their rights under the GDPR, such as the right to data portability and the right to be forgotten. If you store personal data, make sure you have legitimate grounds to retain it – it will be your burden of proof to demonstrate that your legitimate grounds override the interests of the data subjects.
- Consider the legal basis on which you use personal data
Organisations often assume that they need to obtain the consent of data subjects to process their data. However, consent is just one of a number of different ways of legitimising processing activity and may not always be the best option, as it can be withdrawn. If you do rely on obtaining consent, review whether your relevant documents and forms are adequate, and check that consent is freely given, specific, and informed. You will be responsible for proving the legitimacy of your data if its processing is questioned.
- Prepare for an (unavoidable) breach
Any organisation that stores valuable information is a target for cybercrime. With criminals having become more organised in gaining access to sensitive information by using techniques including phishing emails, man-in-the-middle attacks and malware, being breached is no longer a matter of “if”, but “when”. To prepare for the inevitable, you must put in place clear policies and well-practiced procedures to ensure that you can react quickly to any data breach and comply with breach notification requirements.
- Have clear accountability policies in place
Having clear policies in place can help ensure that your organisation meets the required standards. Establish a culture of monitoring, reviewing, and assessing your data processing procedures, aiming to minimise data processing and retention, and build in safeguards. Check that your staff are trained to understand their obligations. You will also need to conduct auditable privacy impact assessments to review any risky processing activities and steps taken to address specific concerns.
- Be cautious with cross-border data transfers
You may want to consider adopting binding corporate rules to facilitate international data transfers, including intra-group transfers. With the new regulation, it will be important to ensure you have a legitimate basis for transferring personal data to jurisdictions that the European Union does not recognise as having adequate data protection. This is not a new concern, but the consequences of non-compliance could be severe. Failure to comply could attract a fine of up to 4% of your organisation’s annual worldwide turnover.
- Understand your obligations as a data processor
The GDPR imposes some direct obligations for suppliers to other organisations which you will need to understand and build into your policies, procedures, and contracts. Consider whether your contractual documentation is adequate and, for existing contracts, check who bears the cost of making changes to the services as a result of the changes in laws or regulations. If you obtain data processing services from a third party, it is very important to determine and document your respective responsibilities.
In the end, GDPR will still have a significant impact on UK organisations, whether or not the UK is an EU member. If UK businesses want to survive when the GDPR goes into effect, the Brexit decision should not change the way those organisations were preparing to comply with the regulation.
Good information governance is the only way to minimise the massive reputational and financial damage that will inevitably come in the wake of a data breach. Organisations should take note and make it a regular practice to go above and beyond the GDPR regulations, regardless of whether it is the law in the UK or not.