Theresa May seems set to invoke Article 50 of the EU treaty by the end of March 2017. But with all a lot of discussion and speculation still in the air, it’s easy to lose sight of some points of certainty and fact. For example, businesses absolutely need to prepare for the EU’s General Data Protection Regulation (GDPR), writes Michael Hack, pictured, SVP EMEA Operations at IT management software company Ipswitch.
It will be enforced in May 2018, which is at last six months before the UK leaves the EU. Unlike EU Directives, Regulations like the GDPR don’t have to be adapted into local law but are effective immediately. This means UK businesses must comply or face fines – now agreed at four per cent of global turnover – and possibly even prosecution direct from Brussels.
Even if the UK decides to find a post-Brexit alternative to the GDPR, UK companies dealing with the EU will still need to adhere to the legislation because it relates to the rights of EU citizens, regardless of where they are physically located. So, the common argument that the GDPR is not relevant because a company doesn’t have operations, subcontractors or subsidiaries in the EU and its data is held on servers in the UK (or outside of the EU) isn’t correct. If a business continues to deal with EU citizens or even non-EU citizens that are resident in the EU after Brexit then it will have to abide by the GDPR.
Now that you know you have to deal with the GDPR, it’s worth understanding some of its basic principles, how they might impact on your current business operations, and how you should ensure compliance:
1. The right to be forgotten
For the first time, EU citizens will have the ‘right to be forgotten’. This means customers or staff have the right to withdraw consent to letting a business store or use their personal data and to request their data pertaining to them be deleted. Businesses must then act immediately and delete the data. There are no exceptions.
2. Explicit consent to store data
Companies will have to make sure that consent to collect and store any personal data is explicitly granted by the person to whom it pertains. Implied consent is no longer sufficient. In practical terms this means that requests to hold data must be made in a clear and plain format. In addition, data must be given freely and not because withholding would limit access to services (like providing personal details to get a loyalty discount, pre-release of concert tickets or to gain access to free public WiFi services).
3. Obligation to show what information is stored
Businesses will be obliged by law to let individuals see their own data and to release that data to them in full upon request. This is meant to make it easier for people to transfer personal data from one service provider to another – for example, between phone, broadband, gas or electricity providers.
4. Fast notification of data breaches
UK organisations will need to notify the Information Commissioner’s Office (IOC) within 72 hours about serious data breaches. They will also need to be able to inform individuals within the same timeframe if a breach affects their fundamental rights as set out in the GDPR.
Awareness
Make sure that decision makers and key people in your business are aware that data privacy and protection laws are changing, and help everyone in the company appreciate the impact this is likely to have.
Do you need a full privacy policy audit?
Businesses also need to check procedures and ensure they cover all the rights individuals have, including how to ensure the mechanics are in place to delete personal data on request or provide data electronically and in a commonly used format.
Carefully assess how personal data is transferred within the company and whether it is ever sent to authorised third parties such as cloud service providers, data analysis companies or even the external legal or accounting teams. We suggest serious consideration is given to the deployment of secure managed file transfer software in each of these scenarios.
Preparing for faster responses to data breaches
Must sure the procedures and processes are in place to detect, report and investigate a personal data breach. Existing procedures and plans should be reviewed to ensure breaches could be reported within the designated 72 hours to the IOC.
It’s unlikely that the UK’s departure from the EU will put a halt on adopting the GDPR. So even, with all the post-Brexit uncertainties taxing the minds of the UK business community, it’s definitely the right time to start preparing for a new and more rigorous set of data protection and privacy laws which will, undoubtedly, start to come into force in the next 12 to 18 months.
