Regardless of industry, companies are subject to data protection laws according to their jurisdiction.
U.S companies must remain compliant with U.S. data protection regulations and so on. Companies in the healthcare industry or those who process credit card transactions are subject to specific regulations such as HIPAA and PCI-DSS.
However, in the last few years as data protection laws stagnated in the U.S., the EU was taking steps to protect its citizens data privacy and not just in the EU but worldwide, making the GDPR (General Data Protection Regulation), which came into effect on May 25, 2018, perhaps the most disruptive data protection law ever created. Simply stated, it meant that all companies must handle the data of EU residents and their companies in a responsible manner including “the right to be forgotten,” a mandatory removal of data on request. Fines and other penalties are also part of the regulation.
Given this situation, it’s glaringly obvious that UK companies with EU dealings must be compliant with GDPR, and Brexit has little to do with it. Nonetheless, some companies in the UK are waiting for Brexit before deciding how to approach the GDPR, as if it will somehow eliminate the necessity for GDPR compliance. As Brexit, approaches, what is the situation for UK regulations?
What are England's Current Data Protection Laws?
Before May 2018, the UK has one primary data protect law – the 1998 Data Protection Act which governed all industries and included some requirements in common with the GDPR. Luckily, the UK government had an ace up their sleeve, introducing the 2018 Data Protection Act with commencement regulations active on the same day as GDPR and other sections active from 23 July. The good news for UK data controllers and processors is that it supersedes the 1998 act and brings the GDPR into UK law (companies have not wasted their efforts in becoming GDPR-compliant).
“What is the GDPR compliance checklist?” Well, with GDPR part of the 2018 Data Protection Act, it is still valid. However, you will have to check the exemptions sections to determine exact requirements for processing personal data, depending on company activity and destination of data.
Assigned data protection officers still have a purpose and the UK has personalized the regulations to include exceptions and define frameworks for data deemed “in the public interest” (including journalism) and usage by law enforcement and intelligence communities. Such flexibility may not have been possible as an EU member. Still, its not the first time the UK has surprised us, by becoming an EU member and retaining their currency, for example.
In any case, just one year after the year of the data breach, it is time that regulations forced a risk-based approach to managing personal data, especially when substantial fines and penalties are part of the enforcement strategy.
Will the UK keep GDPR Regulations if it Leaves Brexit?
It’s time to get dismiss all the common questions seen in the media and online in relation to this subject. Yes, the UK will keep the GDPR regulation but as part of its own 2018 Data Protection Act.
When Brexit occurs, it will not change the 2018 act which perfectly complements the GDPR, with some variations including the minimum age of consent for information society services (13) and other regional differences that reflect UK law and national security interests.
What elements of the GDPR will the UK keep it if leaves the EU? All of them as protecting their citizens’ right to privacy is important. With GDPR, privacy is assured by design and the 2018 Data Protection Act is more of the same.
How should UK companies prepare for the possibility of the UK leaving the GDPR area? By becoming familiar with the 2018 Data Protection Act. Companies in the middle of a GDPR compliance program can simply adapt to the additional requirements of the UK legislation.
In short, Brexit or not, the principles of GDPR are also included in the UK’s 2018 Data Protection Act. The onus is still on every company to handle personal data in a responsible manner, which should be normal practice.
Challenges of Compliance for UK Companies
Since 1998, UK data protection standards have considered the privacy of personal data and the data governance principles outlined overlap with many of those in the GDPR. The new 2018 Data Protection Act takes it a step further and is in line with the GDPR, with the exceptions mentioned earlier.
Let’s outline these principles first and then discuss the potential challenges involved for UK businesses in implementing each one when personal data is involved.
- Purpose limitation – If I provide personal data (such an email address) for communication purposes, I do not want to end up on mailing lists or third-party databases. Again, where is the challenge?
- Data minimization – Storing only the data required for agreed on activities. Adding data in case you need it is not the aim. Challenge? More commonsense.
- Accuracy – The ability to ensure the data you retain is accurate, up-to date and deleted if no longer required.
- Data retention periods – Unless governed by tax or accounting requirements, data should be deleted (or securely archived in some cases) as soon as no longer needed.
- Data security – expected in a digital age but also applies to third parties with access to personal data. As the data controller, you must ensure they are compliant. All third-party data processors must prove compliance as you are ultimately responsible if a data breach occurs.
- Accountability – proving that data protection measures are compliant. This is deceptive and much harder to achieve that it appears.
Data security is a little more difficult but once you identify the potential risks, you can take steps to eliminate them. Do you transfer data externally? How? Is secure FTP with an audit trail necessary? Clue: Yes, it is. Are your devices and drives encrypted to prevent access to data if lost or stolen? Are you protected against hacking? What is your overall security posture?
Finally, accountability a toughie, but a managed FTP solution can prove where data resides, when it was received and if it was sent externally. This is a huge time saver and can also reduce costs in the event of a data breach. When you can prove you are not responsible quickly, it prevents regulatory penalties and enhances company reputation.
In conclusion, while many of the requirements of the GDPR and the 2018 Data Protection Act are designed to prevent unethical or inappropriate use of personal data, the data security and accountability requirements of storing and managing personal data require a managed file transfer solution, where permission-based access, logs and full audit trails can prove compliance. Without a managed solution, it’s all just guesswork, given the myriad of ways that data can leave a company, such as VoIP, chat software, social media and cloud storage. What do you think? Are you prepared to handle personal data effectively?