Brexit won't mean UK plc will escape GDPR cyber requirements
On 28 May 2018 the European Union will bring into force the General Data Protection Regulation (GDPR), an effort to unify and improve data protection safeguards for individuals and bring about greater transparency and accountability from those companies that hold their data.
The main objective of GDPR is to give people greater control and better safeguards when it comes to the storage and use of their personal data and to simplify the regulatory environment. Companies will need to set up data controllers and processors to ensure adequate record-keeping and the appropriate security standards; they will need to inform the authorities within 72 hours of becoming aware of a data breach that poses a risk to the data they hold and failure to comply will lead to fines of up to €20m or 4% of turnover, whichever is higher.
So if they haven’t yet, businesses handling the data of EU Citizens, need to start taking steps towards compliance; which will next year include the UK given we are not formally leaving the EU until 2019. But the question mark has remained over what happens after 2019 for businesses that operate within the UK and which do not and will not handle data from other EU markets. Will an ‘upside’ of Brexit be an ability for businesses to keep quiet about any cyber issues?
In short no. The UK Data Protection Bill announced this month and coming before Parliament when it returns from the summer recess, largely replicates the requirements of the GDPR. This is good news for businesses that operate across the UK and EU and ensures that compliance with both sets of regulations won’t be additionally onerous, and prevents the issue that the European Court of Justice would deem the British data protection rules non-equivalent and ban EU companies sharing data with UK businesses or subsidiaries.
That said, there are a few differences that businesses need to be aware of.
Firstly, the right to be forgotten requirements are strengthened, with consumers now able to request that social media providers to delete all their posts from below the age of 18. While the major social media providers will likely be able to fulfil this, more niche sites may struggle to source the data and it calls into question what is defined as ‘social media’. For example, would a company’s website if it allowed comments and posting meet that definition and what about chatrooms and members fora, often associated with brands?
The other key difference is potentially more positive for the business community. Unlike GDPR, the UK law does not allow privacy groups (e.g. Open Rights, Privacy International) to campaign against companies, although consumer organisations can do it. The upside of this is that complaints are likely to be more concrete and based on specifics rather than just principle.
As could be expected, the more controversial elements of the GDPR remain. A data breach still must be reported within 72 hours of becoming aware of it, which poses some serious consequences for communications professionals and the organisations they work in, as clearly the concept of ‘awareness’ is likely to face challenges and it is likely it will take legal precedence to establish.
Furthermore, any failure to meet the requirements to report on a data breach would result in a fine of up to £17m or 4% of global turnover, so for businesses like Amazon or Facebook potentially in the billions. Furthermore this is likely to damage the business not just from an immediate monetary perspective. It could potentially damage its reputation and bottom-line in the short and long term as any punitive action against a business will likely be seen as an admission of culpability.
As the UK Government’s Digital Minister, Matt Hancock said “The new Data Protection Bill will give us one of the most robust, yet dynamic, set of data laws in the world,”
What should communications professionals do?
Secondly, once there is a clear understanding of the existing processes and where the gaps are in relation to the requirements, a working group should develop protocols to be deployed in case of a cyber breach with specific consideration given to the new reporting requirements. It is important that this working group involves C-level executives, IT, compliance and data officers as well as the senior communications team.
Thirdly, the company must ensure that all security measures are implemented, that any training is provided and that its customers are aware of the protection of their personal data at all times. In high-profile industries like banking and consumer technology companies need to be proactive in communicating what they are doing to counter any threat or they risk being seen as at best complacent and at worst ignorant.
With the legislation in the UK and EU now beginning to diverge in name, if not in practice, organisations that operate across jurisdictions need to ensure alignment and demonstrate that they are ahead of the legislation and its aims are already their guiding principles. While all this may be seen as inconvenience and even an infringement of business confidentiality at worst, organisations should see data protection regulation as an opportunity to prevent reputational damage and improve their image and help customers trust the company with their data.
Trust and reputation are hard to gain but easily lost, so any measures designed to help prevent this should be viewed positively and prepared for pragmatically.