26
PRINT.IT
01732 759725
COMPLIANCE
FOR
Why the GDPR is here to stay
– probably
Peter Galdies, Development Director
at DQM GRC, gives six reasons why
UK businesses must still heed the
General Data Protection Regulation
(GDPR).
Whilst the decision by the people
of the United Kingdom to leave the
European Union has implications for
the legislative framework for privacy
in the UK, these implications are
unlikely to significantly affect the
need for organisations to adopt the
General Data Protection Regulation
(GDPR). Here are six reasons why:
Reason 1: The 2+ year negotiation
phase…
Formal negotiations for exit won’t
start until after Article 50 is invoked
(giving our official notice to leave
the EU), and this now looks likely
to be in September 2016 at the
earliest. During the mandatory
2-year MINIMUM period, all existing
legislation (including GDPR) will
continue as before. This period of
negotiation could be much longer;
many estimate as long as 3-6 years.
The GDPR is actually already law and
although organisations have a 2-year
window in which to meet compliance,
it would be unwise for businesses to
assume that after this period there
will no longer be a need to comply…
Reason 2: Trading with the EU?
The GDPR applies to, and can be
enforced against, organisations
that process data on EU citizens
regardless of their nationality or
location. It doesn’t matter if you are
in France, Germany, the USA or India,
the GDPR law (and its subsequent
penalties) can be applied. Therefore,
UK-based organisations attempting
Brexit has raised the issue of how businesses should prepare for the General
Data Protection Regulation, which EU countries must implement within two
years. Here we present arguments for and against UK mirroring legislation.
GDPR: What next?
to do business with EU citizens
in Europe must comply with the
Regulation. Failure to do so presents
the risk of substantial fines – up to
4% of global turnover.
Reason 3: We just trade in the UK
so we’re OK, right? Maybe not…
With over 3 million EU citizens
resident in the UK – and at least 2
million of these in employment – the
chances are that your business
might have data relating to EU
citizens.
The GDPR is primarily concerned
with processing personal information
about individuals who reside in the
EU (although the EU Parliament
also seems to consider residence
irrelevant), offering goods and
services to these individuals or
monitoring their behaviour. However,
who determines whether someone is
a resident or not? Does a two-month
holiday in London by an EU citizen
mean that they are a non-resident?
Does the individual need to be
granted residency status within the
UK to be excluded from the terms of
the GDPR?
Reason 4: The Information
Commission thinks so…
According to a statement on the
26th June from the ICO: “If the UK
is not part of the EU, then upcoming
EU reforms to data protection law
Peter Galdies,
Developement
Director, DQM
GRC
Daniel Castro,
Director,
Center for Data
Innovation
Daniel Castro, director of the
Center for Data Innovation, argues
that implementing the GDPR is
inimical to innovation and offers
no guarantees that the EU would
consider it sufficient to meet its
adequacy standard.
The decision by the United Kingdom
to leave the European Union will
soon launch one of the largest
policy undertakings ever, as British
leaders and diplomats race against
a two-year deadline to negotiate
new arrangements with the
European Union and new treaties
with other countries previously
governed by agreements made
through the EU.
While the first order of business
will be ensuring British citizens can
travel abroad and British companies
can access foreign markets, in
today’s digital economy there
should also be a significant focus
on how the UK will ensure the free
movement of data both internally
and across borders. Fortunately,
this is one of the bright spots for
the British economy, as the UK will
now have an opportunity to replace
the stringent EU data protection
regulations with a more forward-
looking set of rules that enable data-
driven innovation and, in so doing,
cement the country’s leadership in
the digital economy.
A lonely voice
The UK has long been a lonely
voice of reason in the EU, arguing
for light-touch regulation of the
digital economy even as countries
such as France and Germany have
overruled it. The result has been
that while the digital economy is
stagnant in the EU, it is thriving in
the UK. Indeed, as a share of GDP,
the Internet economy in 2016 is
expected to reach 12% in the UK,
far above the 3% and 4% in France
and Germany.
Yet some in the UK want to
continue to bind the British economy
to EU-style data regulations out
of fear that failing to do so would
create a regulatory headache for
British companies doing business in
the EU.
While it is true that British
companies need to be able to
process personal data of employees
and customers in the EU, there are
multiple paths to achieve that goal,
and mirroring EU rules is not the
best option.
Limiting innovation
First, the EU’s General Data
Protection Regulation (GDPR), set to
come into effect in 2018, will likely
further limit digital innovation in EU
member nations.
The GDPR establishes strict
rules on how companies can collect
and use personal information. For
example, the rules mandate that
companies specify how they will
use data before they collect it, a
Brexit Allows UK to Unshackle Itself from
EU’s Cumbersome Data Protection Rules
AGAINST
