A month before the UK chose to leave the EU, The European Union's General Data Protection Regulation (GDPR) was signed into law. The act is designed to change the way businesses approach data protection from its 2018 enforcement date.
Replacing the EU Data Protection Directive, it has considerable scope in standardising and unifying data privacy requirements across member states and any business that markets to EU data subjects.
With strict guidelines around obtaining consent for data collection and individual profiling, alongside far more comprehensive definitions of data, non-compliance will trigger heavy fines - either €20 million (£17 million) or four percent of global turnover, whichever is greater.
Off the hook
If we exit the EU before the GDPR is enforced in 2018, technically the legislation won't apply. In practice, however, the international trading implications of the GDPR means the UK will need to broadly align its laws around handling EU citizens' personal information to maintain a close trading partnership with the EU member states.
So while those IT departments who believe GDPR stipulations impose a heavy burden might consider Brexit a handy escape route, the reality is this: Brexit aside, to continue as trading partners with the EU and remain in the European Economic Area, UK businesses will need to adopt a broadly similar framework of standards to protect EU citizens' information.
This is a positive thing, holding huge opportunity for UK business. The regulation's objectives and framework are vitally important in today's global digital economy. Meeting the new requirements will help protect UK businesses and citizens from much of the catastrophic damage caused from major cyber-attacks and mitigate many of the threats before they occur.
With only two years to meet compliance requirements and implement the changes to business systems and operations, now is the time to start the process of transforming the way businesses collect and use personal information and data.
Firstly, it's important to remember that the GDPR is a set of rules governing the security and management of any data that could be used to identify someone. Companies will have to immediately notify the authorities within 72 hours of any breach of an EU national's data to avoid a fine.
There's currently no UK requirement to do this and many don't due to the potential reputational impact. Recent examples, including TalkTalk's experience, demonstrate the potential damage to profit and trust following public data leaks.
To meet this requirement, businesses will need to deliver huge overhauls of their current systems to ensure breach protocols are compliant. The final draft won't be ready for some time, but companies should closely examine the current version to get up to speed.
From a technical perspective, the GDPR separates responsibilities and duties for both data controllers and processors. Controllers will only be able to engage processors that provide sufficient guarantees to meet the GDPR's standards of protecting data subjects' rights. For example.
Article 32 of the GDPR already outlines these responsibilities and provides specific suggestions for the type of security activities which might be ‘appropriate to the risk'.
Above all, it's worth remembering that from encryption of data to testing and assessing security systems – everything needs to be compliant with the GDPR's new code of conduct.
With just two budget cycles remaining until the act becomes law, it seems GDPR readiness is not a priority amongst European IT professionals – and there's a lot to be done.
As an immediate priority, a UK enterprise should start to get its systems ready and implement upgraded breach notification policies. To deliver this effectively, IT must start working with legal teams and other key departments to avoid the potential for heavy fines and get their operations data fit for a new era of global digital trade.