Should we still worry about EU GDPR?

James Henry explores the implications of Brexit on the adoption of the EU GDPR legislation

James Henry, UK southern region manager, Auriga
James Henry, UK southern region manager, Auriga

Brexit has caused a great deal of confusion over how the regulatory landscape will pan out, particularly regarding the EU General Data Protection Regulations (GDPR). But the general consensus is that organisations will still seek to comply with the legislation in order to oil the wheels of progress and trade. Similarly, although the EU GDPR was never going to be compulsory for some public sector bodies, the assumption was that the public sector would always embrace the legislation.

It's easy to see why. The EU GDPR is long overdue in terms of rationalising how data is protected and redacted. It aims to address data protection issues, acknowledges the different demands of data management created by cloud computing and social networking, and enshrines principles such as the need to protect user privacy, and finally introduces some serious repercussions for those who fail to comply.

The GDPR was finalised in December 2015 and adopted by the Council of the EU and the European Parliament in April 2016, with enforcement of the legislation expected in May 2018. The aim was to have one law applicable across 28 EU countries and while the UK may no longer be part of the EU, trade agreements will likely see EU GDPR become widely applied if not mandatory. The major changes are in:

  • Scope: the framework will include all EU-based organisations and citizens
  • Reporting: reform to Data Protection Authorities; incident response notification, which will integrate Data Protection Authority notification 
  • Design: privacy-by-design and default principle
  • Risk: data protection impact assessment and risk assessment processes will be strengthened
  • User emancipation: informed consent obligations; “right to be forgotten” adoption (named “right to erasure”); enforcement of users' right to observe collected data.
  • Control: data protection officer role reinforcement
  • Punitive measures: new sanctions enforcement

It's unclear how many of these changes will apply but make no mistake, there will be change. In a statement on 24 June 2016, the ICO said  "The Data Protection Act remains the law of the land irrespective of the referendum result. If the UK is not part of the EU, then upcoming EU reforms to data protection law would not directly apply to the UK. But if the UK wants to trade with the Single Market on equal terms we would have to prove 'adequacy' - in other words UK data protection standards would have to be equivalent to the EU's General Data Protection Regulation framework starting in 2018. With so many businesses and services operating across borders, international consistency around data protection laws and rights is crucial both to businesses and organisations and to consumers and citizens. The ICO's role has always involved working closely with regulators in other countries, and that would continue to be the case. Having clear laws with safeguards in place is more important than ever given the growing digital economy, and we will be speaking to government to present our view that reform of the UK law remains necessary.” That could see the UK mirror the requirements, as it did back in 1998 with the DPA which was drafted to comply with the EU Data Protection Directive in 1995, or it could see us simply adopt the same regulation.

Taking the time to adapt to these changes now will ensure the organisation can become compliant in an organised and systematic manner but much is unknown so for now the organisation should tackle challenges in two stages. Immediate actions include completing an information audit and risk impact assess to determine how reforms will be actioned. Protective and detective measures should be identified and assured, and the organisation should look to use this information to assess and update incident response procedures.

Going forward, and once the dust has settled, the organisation can then consider the broader sweep of recommendations. These include appointing a Data Protection Officer, selecting Data Protection Agency/ies and educational programmes raising awareness and training personnel over changes in dealing with personal data. It should also hopefully become clearer how the EU GDPR will fit in relation to the EU-US Privacy Shield controversy as the danger is that we could find ourselves trying to please all of the people all of the time.

What both the US and EU regulations illustrate is that data protection regulation is both needed and constantly evolving. The EU GDPR is by no means a definitive finite reform. It has not managed to fully integrate the Big Data revolution. Issues such as behavioural analytics, predictive analytics, user/usage profiling and psychosocial characteristics extraction are not fully accommodated, especially when you include emerging technologies such as the Internet of Things which is expected to further radicalise data analytics and data protection. The era of IoT and wearables will be heavily supported by Cloud Computing and user-generated content.

Future issues include:

  • Conflicts of interest: controversies surrounding how the regulation relates to national legislation
  • Extension: the need to address employee data protection in the future (is talent acquisition going to get even harder?)
  • Open to interpretation: could different interpretation and nationalisation of the EU legislation affect application of the proposed regulation?
  • Sovereignty: new laws regarding data portability shall arise since this issue has not been adequately addressed

So perhaps we should all regard the EU GDPR not as a definitive set of regulations but as a starting point, and a very valid one, for our revision of data protection practices.

Contributed by James Henry, UK southern region nanager, Auriga