The EU is taking personal data security to new levels with the new General Data Protection Regulation (GDPR) set to go into effect on May 25th, 2018. This leaves global businesses approximately ten months to set their data privacy and security policies in line with the strict GDPR compliance, or face crippling fines of up to 4% of annual global revenue or $20 million Euros (17,882,635.20 British Pounds), whichever figure is greater.
Despite Brexit, UK companies are still ramping up to meet GDPR compliance because they will remain members of the EU until at least the end of March 2019 and GDPR commences May 2018. This means the UK is committed to an absolute minimum of 10 months of compliance.
What does this mean for the UK post Brexit? Does this law apply to them?
The answer is yes if you trade or have data about EU citizens. This puts you under the umbrella of GDPR. Post Brexit, Parliament will likely construct a similar personal data security regulation that will align with the EU’s data protection efforts. Members see immense value in the regulation, especially since cybersecurity is now top of mind for every company. GDPR is just an extra safeguard to protect company and customer data.
The bulk of the work happening at the moment to become compliant is simply good business and as it happens, UK companies are embracing the challenge. For instance, GDPR requires every organisation to appoint a DPO (data protection officer) to make sure personal data is protected and compliant. UK companies have more DPOs than any other country in the EU and continue to hire them, showing a commitment to the regulation.
Amir Ameri, our own VP of Global Risk & Compliance and DPO, notes, “Executives now face a sprint of thorough internal evaluations to revamp policies around collection, storage, or usage of EU resident personal data. The financial implications of breaching GDPR are astronomical. We recommend mapping all data assets and appointing dedicated Data Protection personnel on a full-time or contract basis to properly oversee the adoption of high-caliber data protection processes and technologies.”
GDPR compliance is still necessary regardless of Brexit for several reasons. The major impacts will be heavy fines and the inevitable loss of customers for companies that don’t comply. The reality is that GDPR’s effects stretch far beyond the confines of the EU. If your global business touches personal data of European citizens in any way whatsoever, you are subject to all requirements set forth by the new regulation. So, if UK companies don’t adhere to these regulations, they risk losing EU clients.
Gabrielle Griffith, Director at compliance consultancy BPE Global, stresses the importance of internal due diligence across your organisation ahead of GDPR’s enactment. “Any company doing business with EU entities is affected,” Griffith states. “For example, global companies that maintain a website to solicit sales from potential EU customers will be subject to GDPR requirements.”
With GDPR’s compliance deadline just around the corner, it is crucial that all UK companies demonstrate rigorous investment in the personnel and policy changes required to securely store and manage personal data. It’s crucial to start doing a cross-organisational security assessment now to not only keep your business GDPR compliant, but also work to reduce the risk of a future breach.