Brexit And GDPR – A Politics-Free Post
A big part of my job for the last few months has been updating my agency’s data protection policies and practices in order to get us in line with the forthcoming EU data protection law, known as the GDPR (General Data Protection Ruling). It’s been a lot of fun, and it’s not quite over, but some people have asked me whether all that work’s been scuppered after the result of “Brexit”.
Before you read any further, just know there will be no politics in this post, nor in any subsequent discussion. I don’t want to get into that, this is just my professional perspective on data protection for UK businesses going forwards.
A Bit About The GDPR
Before I get into the specifics of what needs to be done now and why, let’s just have a quick breakdown of some key points on the GDPR:
- The GDPR aims to be the gold standard for data protection around the world. To be honest, looking at a number of other ones around the world, including our current one and America’s “Privacy Shield” data sharing framework between the US and the EU (which, frankly, looks like it was written by the NSA), that’s not as large a challenge as it sounds.
- The GDPR comes into effect on the 25th May 2018. No matter what happens with Britain exiting the EU, there’s a minimum of two years before it fully happens, meaning that British businesses will be subject to it for a time.
- For British businesses to continue trading with the EU, our data protection laws need to be as stringent as the GDPR. I firmly believe that every business should be striving to meet and exceed these laws in these data-heavy times, especially with high profile breaches happening as regularly as they are.
If any of this is news to your business, you can have a read of the full text here. I’ve read the whole thing a number of times. It’s riveting.
So What’s The Post-Brexit Data Protection Plan?
To be honest, it’s pretty simple: if you’re already working towards getting in line with the GDPR, if you have a plan in place to comply with it and (hopefully) exceed it, keep doing that. If you’re not working towards that goal, or you don’t have a plan, get to work – you’re going to need to do it anyway, and it isn’t a small job.
Even if the UK ends up leaving a month or so after GDPR comes into being, that work you’ve been doing towards getting in line with it won’t be wasted. The GDPR is a great example of best practice for the modern business dealing with data. There are a couple of areas that I think it could be firmer on, but that’s just my own opinion. It is, without a doubt, a much better framework than our own outdated Data Protection Act, so keep doing what you’re doing.
We’re Getting A New Information Commissioner
If you haven’t started, or if you don’t think it still applies, there’s one important thing to note: our incoming Information Commissioner Elizabeth Denham is known for being pretty stringent – considering she took on Facebook and got them to make changes in the name of privacy, I don’t see much slipping past her. Not that the outgoing Information Commissioner Christopher Graham wasn’t awesome too, but there are also some changes coming to the way the Information Commissioner’s Office will be working.
Previously, the ICO was funded by the government. This will be changing with Ms Denham’s appointment. While there hasn’t been any concrete ruling on where the money’s coming from yet, there’s the possibility that the ICO may be funded at least partially by fines in the future. The GDPR allows for fines of up to €20 million or 4% of global turnover, whichever is higher and I’d be very surprised if the ICO doesn’t implement something similar.
Either way, the new Information Commissioner will be expected to put new data protection laws in place which at least match the GDPR post-Brexit. I wouldn’t be shocked to see us ending up with something even firmer, but in the meantime, working towards GDPR compliance will stand you in good stead.
It’s Just Good Practice
Ultimately, it comes down to the extent to which your business deals with data and the degree to which you want to monetise it. Data is the key marketing commodity right now, and that’s only going to increase, so it really is in the interests of all UK businesses to get to work on GDPR compliance. Whatever happens next, we at least know that this isn’t going away.