Organisations hoping that Brexit will protect them from GDPR may be disappointed.
The historic UK vote to leave the European Union taken on 23 June 2016 remains controversial, especially as the public have been presented with little concrete details of what form the departure will take.
For the technology industry, uncertainties over cross-border agreements on telecoms, cyber security collaboration and regulation will be high on the agenda.
But of equal importance to international tech companies will be what future cross-border data regulations will look like.
The EU regulation in the tech space that is highest on many companies’ agendas is General Data Protection Regulation (GDPR), the new EU legislation that will replace the 1995 Data Protection Directive.
The main reason for this is that GDPR attaches a draconian penalty to non-compliance: the maximum fine for a single breach is set at the greater of €20 million or 4 percent of annual global revenue.
GDPR adds a new 72-hour breach notification requirement, requiring businesses to report data breaches to the relevant Data Protection Authority within 72 hours of detection.
Research by YouGov for Netskope found that 80 percent of IT professionals in medium and large organisation were not confident of ensuring compliance by 25 May 2018.
A recent global CIO report by Compuware also found that 68 percent of CIOs don’t always know where customer data is, and only half can locate it quickly while 30 percent can’t guarantee they could find it at all. In addition, 52 percent of CIOs would find it difficult to comply with requests to eliminate a customer’s data if they exercised their ‘Right to be Forgotten’.
All of these things considered, no longer being subject to GDPR might seem like a blessing from the EU Referendum result.
However, this is unlikely to be the case.
For one thing, GDPR is not simply directed to businesses based in the EU, but companies that interact with the EU, including any that target goods or services at EU residents or monitor the behaviour of EU residents.
As David Moseley, Global Solutions at Veritas, says, “any UK organisation that serves European customers and collects their data will have to abide by this law. It also means that any organisation that handles personal data relating to individuals located in the EU will be obligated to review their information management process.”
It is also highly likely that the UK will be subject to GDPR anyway, at least until new agreements are drawn up.
This is because GDPR comes into force in less than two years, and the article of the Treaty on European Union, Article 50, that has to be triggered to negotiate an exit provides for a two-year negotiating period.
It is possible that post-Brexit, laws will stay in place unless Parliament explicitly votes to repeal or amend them.
Dave Levy, Associate Partner at Citihub Consulting, says that if this is the case, “a Brexited Britain would inherit the GDPR until Parliament repeals or amends it which may also involve an amendment to the devolution statutes.”
Levy says that he doesn’t expect amending GDPR would be high on the Government’s list of priorities. However, it is possible that the UK might decide to go its own way.
Nicola Fulford, Head of Data Protection and Privacy at law firm Kemp Little said: “The data protection laws that will apply once the UK leaves the EU will depend on whether the UK chooses an EEA-type model (in which case GDPR will apply), an adequacy model (which will require the UK to implement law that is essentially equivalent to GDPR) or something else (for example, that is lesser than GDPR and that would not meet the essentially equivalent test).
“Personal data sharing between the EU and the UK would be able to continue unimpeded if the UK goes for an EEA-type model or an approved adequacy model,” says Fulford.
In a world where international data-sharing is becoming more important rather than less for high-tech applications, it seems likely that the UK would want to be able to work with the EU.
Richard Lack, director of sales, EMEA at Gigya says that “it would make no sense at all for UK regulations to be any less stringent. Poor safeguards against loss, theft and misuse of data would ultimately cost UK business, as consumers and brands put their data elsewhere. Data security is a competitive advantage and not an unwelcome cost.”
The bottom line for businesses is that whether the UK chooses to abolish GDPR upon leaving the EU is essentially moot. Due to what is at stake, UK businesses need to assume that they will be subject to GDPR, whether indefinitely or not, and start to plan accordingly.
If a business is ready for GDPR and the UK does choose to craft its own legislation, then the worst case scenario is that the business is likely to be on the right track to complying with it.