As the European Union & United Kingdom continue with Brexit negotiations, both parties are also preparing for the implementation of the new General Data Protection Regulation (EU GDPR) which becomes legislation on May 25th, 2018. While the UK will be exempt from other European legislation by March 2019, the EU GDPR will apply to every organisation large or small that manages data of EU citizens. To further complicate matters the UK government this month have also introduced their own Data Protection Bill which for the most part mirrors the EU GDPR. This bill is still in its infancy and is far from being passed into legislation, but in the meantime, UK organisations must not ignore GDPR and begin preparations on complying with the EU Law.
What is GDPR?
The General Data Protection Regulation (GDPR) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU). Put simply, the legislation states that the personal data of all citizens of the European Union are protected by EU GDPR even if their data is processed by an organisation from a non-member state. By failing to adhere to this ruling, such organisations put themselves at risk of heavy fines – a maximum of €20 million or 4% of the annual turnover.
Results from a recent survey by Crown Record Management indicate that 24% of UK-based organisations have cancelled preparations for the regulation, while 4% have yet to begin preparations. This contrasts with a report from the International Association of Privacy Professionals, which states that 94% of companies with privacy professionals are preparing for compliance with GDPR, and over 58% are investing in privacy training for their staff. The report also states that UK privacy professionals are 9% more likely to build a relationship with a consultancy as opposed to a law firm.
Results in the report from both a UK-based survey and a Global Governance Survey from the end of 2016 outline some of the highest ranked challenges listed by privacy professionals in relation to GDPR compliance. The “right to be forgotten” is named as the number one difficulty for both groups of respondents, while data portability, understanding research allowances and gathering explicit consent are the next three biggest challenges for UK professionals.
3rd Party Country
Following Britain’s eventual departure from the EU, this will make them a “third party country”. The UK will require a mutual legal assistance treaty with the EU, as exists between the Union and the USA, to process, transfer or disclose personal data of EU citizens. However, the UK parliament appears to be taking a different approach. In spring 2016, the UK minister responsible for data protection, Baroness Neville-Rolfe, announced that the UK Government have chosen to opt out of this portion of the GDPR “because of concerns relating to the integrity of the UK legal system”. This may cause further tensions in Britain’s relationship with the EU and cause confusion for UK organisations.
Even though Britain is slowly edging towards the European exit door in March 2019, GDPR will be active in all EU member states ten months which means UK companies must not ignore these regulations especially as the UK government are now announcing their own version of the Data Protection Bill. This bill, for the most part, is a copy of GDPR. It will go before the House of Commons next month and according to reports, this is being fast-tracked. Even if the Data Protection Bill was not on the way GDPR would still affect any UK company that manage data of EU citizens. Location of your operations is not a factor this is about where the user’s data comes from.
The GDPR ruling relating to companies from non-member states or “third countries” says they must abide by the regulation when processing personal data of EU citizens will apply to every UK company. Brexit or not, British-based companies must prepare for GDPR to avoid those hefty fines.
The key point for businesses to understand that demonstrating compliance will be key here. The future of Data Protection is about providing transparency and security of users data. If found in breach of these regulations the financial impact can be significant not to mention the damage this can cause your brand in the long term.
Contact Certification Europe today and learn how ISO certification can help your organisation comply to EU GDPR.