GDPR and Brexit: How Leaving the EU Affects UK Data Privacy

This article is the first of an ongoing series in which Kris Lahiri, Chief Security Officer for Egnyte takes an in-depth look at the General Data Protection Regulation.Later this year, the UK is expected to trigger Article 50 of the Lisbon Treaty, the first official step in its much publicised departure from the European Union.At the end of the Brexit process, the UK will also introduce the Great Repeal Bill, which will “instantly annul the 1972 European Communities Act (ECA) that gave EU law instant effect in the UK.” This bill will convert existing EU law into domestic law and from there, Parliament will work to decide which EU laws to discard.

General Data Protection Regulation (GDPR) aims to iron out the differences between national privacy laws within Europe and to introduce “one stop” enforcement for multinationals.  This will be determined via a lead regulator in the member state where the organisation has its main establishment.Among the laws to be considered is the EU’s newly adopted GDPR; a set of regulations designed to update antiquated protections like those provided in the UK's Data Protection Act of 1998. The GDPR is set to go into effect 25th May 2018, pre-empting the UK’s departure from the EU. This means UK companies need to comply with the regulation in order to avoid penalties. It is arguable that the UK should adopt the GDPR even after it leaves the EU to not only protect user privacy and data, but also to ensure its companies can remain competitive.

How the GDPR Will Modernise Data Protection

The GDPR aims to modernise Europe’s data protection laws for the first time in over twenty years by bringing them in line with today’s digital world. The law intends to do this by governing any use of EU citizen data, regardless of whether the entity using that data is a member of the EU. Even third-party service providers, such as data storage or cloud services, will assume shared legal responsibility for their suppliers’ data security measures.A content governance and services platform like Egnyte is a prime example here. We have offices and data centers in Europe and North America and store client information depending on where the client resides. We are a third-party storage provider and will need to adhere to the GDPR for our European clients.In addition to data residency, Organisations processing or storing the personal information of EU citizens must report data breaches within 72 hours and be ready to demonstrate their security and privacy procedures at a moment’s notice. Those found in violation of the GDPR will be subject to serious financial penalties—up to £20M or 4 percent of global annual turnover.Even nonprofit organizations are subject to noncompliance penalties. Large enterprises that suffer a breach without proper security processes in place may be hit hardest by fines like those listed above (whichever figure is higher).One of the biggest areas of focus for the GDPR will be data governance and privacy impact assessments. These will be made mandatory for high-risk processing activities, such as banking, clearing houses and personal insurance providers.Currently companies seem to have free reign with user data, but the GDPR will require businesses to demonstrate “privacy by design.” Stored user data must be pseudo-anonymised and privacy protection will need to be directly built into their policies. Citizens will have legal rights to bring about individual lawsuits and even make compensation claims in the event of a breach. For example, employers must store and protect the personal information of their employees in adherence to the GDPR.Unless organisations address this in employment contracts, employees can seek legal action after working for an organisation if it suffers a breach. Organisations are advised to prepare.  It will be easier to build these processes from the ground up rather than trying to retrofit later.Third-party data processors will be required to assess procurement processes and will likely have to abide by EU-approved boilerplate clauses in service provider contracts. (A marketing list purchase vendor will need to seek opt-in preferences in accordance with GDPR when selling those lists to organisations for promotional activities. This will need to be clear in client contractual arrangements)The GDPR also imposes restrictions on entities transferring personal data out of the European Economic Area (EEA). Such transfers will only be lawful under limited circumstances, due to required safeguards for the relevant personal data.[caption id="attachment_282726" align="aligncenter" width="693"]

Source: Computer Business Review[/caption]Consent must be provided by the data owner for each individual processing activity and this consent can be withdrawn at any time. Organisations must not only comply, but also pass that request on to other organisations that have access to that data.Fast forward to 2018 – GDPR has been established and the UK has adopted the regulation. Egnyte, like many organisations headquartered in North America, has customers in most, if not all, of the EU member states and the UK. For this example, a customer of ours, a large enterprise headquartered in the US, is working with a UK recruitment agency.The agency shares information with a large corporate client who uses our file sharing solution. The data concerns candidates for a senior level position and is personal and highly confidential. This is the point and time an organisation must have laid the foundations for the right to be forgotten, the right to erasure and the right to data portability.If one of the candidates wants their data removed and erased, could your organisation do so? Does the technology you use to share data have the capability to switch off data access? These are capabilities to consider and you must be able to respond swiftly if necessary.

Brexit and the GDPR

The timing of Brexit is such that no matter how things play out with the passing of the Great Repeal Bill or the completion of Article 50, the UK will be fully subject to GDPR for the better part of a year. Any company dealing with EU citizen data, wherever they're located, will be expected to meet its standards.UK-based organisations must begin preparing for the GDPR immediately. This undertaking will neither be simple nor cheap and for many organisations, it will involve looking into systemic ways they use data. However important for compliance, the new regulatory requirements are not limited to the right to be forgotten, right to erasure and the right to data portability.Meeting these requirements will take more than a few new rules within an organisation and may affect business operations down to core processes. Organisations need to designate a Data Protection Officer, or someone responsible for data compliance, and assess where the role sits within its business structure and governance arrangements.

Adopting the GDPR

Ultimately the GDPR will be good for businesses and users alike, refining controls on data flow and residency. In contrast to the Data Protection Act 1998, GDPR responds to living in a digital world. Compliance may require companies to overhaul current processes, which can raise expenses considerably. However, these expenses pale in comparison to those caused by a serious security breach—which cost companies fines that averaged £3.14M in 2015.A reported 76 percent of Europeans fear their data is unsafe in the hands of private companies and this number is unlikely to improve for businesses that don't follow GDPR regulations. When the UK enacts its Great Repeal Bill, it should consider adopting the GDPR in whole, because refusing to do so could hurt its companies in the long term.Even if you operate and trade outside of the EU, the GDPR likely affects you. All non EU organisations targeting EU citizens with goods or services will be subject to its rules. Organisations should designate a representative in the EU to act as a point of contact with both regulators and data subjects for compliance matters.[See the featured article on Computer Business Review]