The announcement this week from the UK Government that it will largely follow the EU General Data Protection Regulation (GDPR) when the UK leaves the EU has widely been anticipated – UK organisations will face a £17 million fine if they fail to protect against personal data breaches or 4 per cent of global turnover. As one of the firms who participated in the planned reforms and who is already helping a number of organisations implement the GDPR, we believe such reforms are good for UK citizens and, if implemented in the right way by UK industry, good for the UK as a whole.
The announcement also sets out the proposed derogations from the GDPR which the UK wishes to implement into UK law, such as:
We agree that, with these proposed derogations, the new Data Protection Bill will provide the UK with one of the most robust, yet dynamic, set of data laws in the world. It will cover both the private and public sector, and will help safeguard essential services in areas like water, energy, transport and health. We also expect that it will also require organisations to show they have a strategy to cover unanticipated events that pose a threat to data protection such as power failures and environmental disasters.
In a global digital economy, users expect their personal information to be respected and managed securely by those who they share it with. We are also seeing that those organisations who embrace the GDPR are forming stronger and improved relationships with their employees, stakeholders and customers. Organisations who demonstrate they care about and respect personal data feel that they will gain a competitive advantage.
The GDPR is a game-changer. Learn how PA is helping clients make the most of this opportunity.
The new bill also recognises the changing nature of what constitutes personal data in the digital economy, including aspects such as IP addresses. Given that the latest legislation around the Investigatory Powers Act covers such definitions of personal identifiers, it makes sense for data protection legislation to be aligned.
Matt Hancock, the Minister of State for Digital, has stated that fines will be a last resort and will not apply to firms that suffered an attack who have put safeguards in place. However, one of the key challenges we see in the implementation of the GDPR is assessing just what constitutes an adequate safeguard. For example, the existing GDPR legislative exposes a number of grey areas, such as how much encryption technology an organisation should use. Partly because of this, organisations have taken matters into their own hands – one firm recently went so far as to delete all of their customer data.
Rather than be viewed with frustration or even alarm, organisations need to think carefully about how they comply with the GDPR. A well thought out plan based on risk assessments will enable organisations to prioritise their response in a targeted way. This will save on scarce time and resources and ensure the business can continue to operate – even thrive – despite the changes underway.