DATA protection plays a central if slightly understated role in our society and as the digital economy grows so too will the need for clear and effective regulations.
While the UK has a history of providing legal protection for the personal data of consumers, the Brexit referendum has raised some questions about the future of the laws in this area and cast doubt over the next steps our local businesses should take in order to remain compliant.
Tougher EU data protection rules were agreed in Brussels in December 2015 and these are due to come into force in April 2018. Known as the General Data Protection Regulation (GDPR), these will affect every entity that holds or uses personal data both inside and out of Europe.
While some long established data protection principles will remain unchanged, GDPR will introduce some new concepts. The most significant will see a single-legal framework applying across all EU member states without the need for national implementation.
There will be a risk-based approach to compliance, with businesses bearing responsibility for assessing the degree of risk that their own processing activities pose to individuals. The concept of ‘pseudonymisation data’ will be introduced, which will help organisations comply with their obligations.
Binding corporate rules will be implemented, which will bind data protection corporate policies and programmes that are used to lawfully transfer personal data globally within a group of companies.
There will be increased enforcement powers, with maximum fines of up to €20 million, or 4 per cent of annual worldwide turnover, whichever is greater.
Businesses will be required to implement data protection by design, when creating new products, services or other data processing activities, and by default, by implementing data minimisation techniques.
Some companies will need to introduce data protection compliance programmes, including having a designated data protection officer. There will also be the right to object to ‘profiling’, which includes most forms of online tracking and behavioural advertising, making it harder for businesses to use data for these activities.
Many companies have anticipated that the planned changes will increase the cost of doing business in Europe, an eventuality that many local companies have been preparing for.
The Brexit process outcome will be revealed before the GDPR is implemented and in the case of an out vote it may be that steps are taken to not apply the regulations in the UK. This would likely result in the UK Data Protection Act being preserved until a post-Brexit option is adopted.
Businesses are being advised to prepare ahead of time for both eventualities. By waiting for the referendum results before developing a strategy to manage potential changes to data protection, directors would leave themselves with a short 18 month window to implement new measures.
Whether we have Brexit or not, GDPR will still apply to UK companies dealing with the EU. To have a regime separate and distinct from the rest of the EEA, I believe, would therefore be to the serious detriment of our service based industries, particularly the banking and financial services sectors.
Even if we leave Europe and adopt a bespoken UK regime more stringent than the GDPR, the lack of harmonisation could interfere with smooth trading relations under some form of bilateral trade arrangement we have instead of our EU membership.
Regardless of Brexit the UK Data Protection regime needs a refresh to make sure it keeps pace with modern day life and technology.
:: Dawn McKnight is a partner in the corporate team at Carson McDowell
