The EU’s new data protection law, the General Data Protection Regulation (or GDPR), is forcing companies to change the way data is handled. Since the regulation came into effect this past January, efforts to achieve compliance have stepped up. This will lead to important discussions between departments like IT, marketing, finance, sales and the senior management team.
Even though we have nearly two years until GDPR is enforced, it could easily take about that long to achieve cross-functional consensus, get budgets approved, and implement tools and policies to assure compliance.
Preparing With Brexit Uncertainty
Many observers like yours truly have for some time advocated a review of current practices as a first step to complying with the GDPR. Giving yourself a slow and steady lead-in to a change as potentially significant as the GDPR makes good sense. Right? Well, not so much now that the EU referendum (aka “Brexit”) on June 23 looms large. In the event that the UK leaves the EU, the road to compliance will no longer be clear.
Brexit illustrates the need to approach data protection compliance with a light touch and a firm hand. A light touch is needed because all the underlying tools, infrastructure and policies regarding data handling need to be flexible enough to accommodate multiple scenarios. Including ones we haven’t come across yet. And a firm hand because auditing procedures and machinations need to be rigorous enough to secure compliance. At the end of the day, if you can’t track it, it isn’t secure.
The outcome of the Brexit referendum is too close to call. According to the BBC, as of today my fellow Brits are 43% for it, 42% against it, and 15% undecided. Businesses will sort out their position in the event of Brexit, including how the different outcomes will affect current GDPR and other legislation affecting data protection.
If the UK remains part of the EU, the GDPR will apply. If the UK leaves the EU, it’s uncertain whether or not the UK would want to adopt a data protection regulation that’s considerably more onerous than the current one. Recalling the UK’s opposition to some of the more stringent measures proposed by the GDPR, experts have hinted that the UK would be more likely to adopt something not unlike the data protection law currently in place.
Data Transfer: Deal or No Deal
A ballpark percentage of UK exports to the EU is about 40%. In other words, businesses will have to find a way to continue to do business with the EU. And they will still need to transfer data – personal and otherwise – to and from the EU. In the event of leaving the EU, the UK would need to make sure that data was being adequately protected. And that would need to be agreed in a separate deal.
According to Emily Taylor, associate fellow in International Security at Chatham House, combining a new data transfer agreement like Safe Harbour, combined with the Investigatory Powers Bill (Snoopers’ Charter) could jeopardize data sharing between the EU and UK. With severe economic impact. It’s worth noting that this view is not universal. A number of other pundits agree that a new deal would be required but there are already precedents like those coming from Switzerland and Canada.
Comply with GDPR, Or Else
Pragmatists might argue that even if the UK votes for Brexit and is not signed up to the GDPR, it’s likely to need to adhere to something very similar in order to continue to transfer data between the EU. The DMA, the organisation representing the direct marketing industry, is very clear on this point and urges companies, “the referendum is not a reason to delay plans to understand and become compliant with the GPDR.”
Senior management may disagree with this view when facing increased spending as a direct result of the GDPR. Ipswitch’s own survey into GDPR preparations revealed that more than three quarters of UK-based companies say that keeping up with data protection regulatory requirements will cost them financially. This would include investing in new tools and technologies, and also setting aside training budget to help staff understand the new systems.
Any IT teams tempted to stall GDPR preparations until after Brexit should bear in mind that the GDPR is focused on protecting personal data belonging to EU citizens, no matter where that data resides. The compliance requirements will not go away and it is advisable to maintain momentum around preparations.
Practical Next Steps
Data flows are fundamental to the GDPR. Data is at its most vulnerable when in-transit. Moving data securely and reliably may find itself in the spotlight if Britain leaves the EU. Understanding your secure file transfer policies is going to be a critical success factor.
Managing file transfer and storage of all files between customers, employees, partners, and systems is daunting. One technology that can help is a managed file transfer system that makes data accessible and gives IT teams a lot more control control and visibility.
Five GDPR Requirements You Should Be Thinking About Right Now
Sign-up procedures and configuration settings will need to be re-designed in line with the requirement for explicit consent
2. Profiling Users
People will object to the use of personal data for profiling. Such as that used in direct marketing. Tracking users on different systems requires you to get clear consent and describe every step including where, how and what data is stored.
3. The Right to Be Forgotten
To fulfill this requirement, it’s critical to design your system so that users can review data, request rectification or withdraw earlier given consent.
4. Data Portability
The easiest way to enable individuals to port their personal data from one service provider to another will probably involve common used standards and ensuring services are accessible from a well-designed API — one that may even allow downloads in a common format, like XML.
5. Redesign Systems With Privacy and Encryption by Design
“Pseudonymisation" is a new buzzword: a privacy improvement technique that ensures non-attribution. This means data needed for attribution (such as the data you need for logging into the system) is not stored together with transaction data (the actual actions performed by your users), which highly reduces the risk of harm for data subjects.
The regulation requires you to report data breaches if the data has not been strongly encrypted within 72 hours of discovery.