The European Union’s General Data Protection Regulation (GDPR) was brought in to improve data privacy rules and came into force in May 2018. Breaches of GDPR can lead to heavy fines – from the Information Commissioner’s Office, these penalties can be up to £17.5 million or 4% of the company’s total annual worldwide turnover in the preceding financial year, whichever is higher.
Since May 2018, fines and penalties have been dished out to organisations large and small, the likes of Facebook, Amazon, Google and British Airways through to smaller organisations like charities, municipal bodies and schools.
Since the UK voted for Brexit and elected to leave the European Union, the question of what would happen around GDPR and the use of data has been an ongoing question. For some, getting rid of GDPR is essential for the UK to create new opportunities based on data. For others, it would represent an immediate step back and risk to security.
But what is the right approach here, and what should the next steps be?
Where We Are Today
Preparation for GDPR was a huge focus for IT and business teams in the run-up to May 2018. Even for those companies outside of the EU, compliance was still required if they had customers within the EU. According to a report by EY and the International Association of Privacy Professionals (IAPP), the mean amount spent on GDPR preparation was about $5 million (£3.6 million).
Today, GDPR compliance is something that companies continue to maintain over time. The cost for this was on average around $1.3 million (£941,000) per year. That spending has delivered – according to the most recent IAPP data, 47% of companies are fully or very compliant with GDPR, up from 39% a year earlier. For European companies, the figure is even higher, at 57%.
The UK Government has announced that it will consult on changes around data protection and privacy. Unlocking the power of data is one of the Government’s 10 priorities for technology, and it is looking at how to sign partnerships with countries like the US, Australia, South Korea and Singapore, as well as working on future partnerships with the likes of India, Brazil, Kenya and Indonesia. These partnerships would be based on establishing data privacy and adequacy that each country would abide by.
This potential move away from GDPR is intended to help British companies build more successful businesses around data. However, any diversion from the GDPR standard could lead to issues between the UK and the EU around data handling and privacy across borders. In looking to sign agreements with other countries – for example, the US – any agreement would also have to abide by current GDPR regulations in order to maintain the flow of data between the UK and the EU.
What Might Happen Next?
We don’t know exactly what the UK Government will decide to do next, but we can envision several different scenarios.
The first is that the Government might turn away from GDPR and its approach to data privacy completely. This would involve substituting a new framework and approach, with its own rules and legislation to be drawn up. This wholesale approach is not likely, as it would break the flow of data between the UK and the EU and jeopardise current business for potential future opportunities. At the same time, companies would react badly given the amount of time, effort and money that has gone into complying with GDPR previously.
The second approach is that the Government might try to establish more stringent rules on data privacy. This would cast the UK as a central hub for strong best practices around data that others can learn from, as well as providing more protection for both individuals around their data and for businesses around how they process and use that data too. This approach might sound appealing, but it could further restrict what companies can do around data and how they seek approval from users to work with said data. This would go against the ‘common sense’ approach that the Government has previously mentioned.
The third approach – and most likely – is that there will be some changes to the processes around data, but that the outcome will largely remain the same. This will therefore retain the majority of the same approach that exists around informed consent, legitimate interest, and ensuring that customers know what they are agreeing to around their data. However, there may be some changes on how individuals are notified and the level of detail required to get compliant. The emphasis on this will be on how to make things simple, streamlined and compliant for everyone.
The risk with all this is that companies in the UK may assume that they can drop their compliance efforts, or try to push the boundaries around what is possible around user data without consent. The influence of GDPR also continues to spread – the US state of California has adopted rules on data privacy and protection based on the European approach, while countries like India and China have put together their own data privacy approaches that use GDPR as a framework. Any shift too far away from how GDPR works would therefore leave the UK stranded, just as other countries adopt more stringent rules themselves.
What Lies Ahead
Whatever decisions take place, customer data privacy and security have to be maintained. Any alterations to GDPR will lead to more expense for IT teams, even if those changes do open up more market opportunities around using data faster. As any changes take place, companies must continue to support the right data privacy and security processes across their operations. This includes tracking how data gets used and how systems are kept secure.
By Matthew Middleton-Leal, Managing Director EMEA, Qualys.