New survey reveals that less than 15% of UK organisations are ready for GDPR and 93% of the public are pleased that non-compliance can mean big fines writes Richard McCann
The European General Data Protection Regulation will become law across the remaining 27 EU states on 25 May 2018. And while some people are suggest that the General Data Protection Regulations (GDPR) may not now apply to the UK, that ignores the fact that huge numbers of UK businesses and services operate across borders, so international consistency around data protection laws and rights is still crucial and UK data protection standards will have to be equivalent to the GDPR from 2018.
“If you thought GDPR was a dead duck post Brexit – think again”, says Ian Collard, MD of data experts Identity Methods. “No matter what deal is negotiated, if you trade with any company or authority in the EU, the broad sweep of GDPR principles will still apply.”
Indeed, because of the world’s growing digital economy, the provisions of the Data Protection Act offer vital controls and safeguards and will remain UK law irrespective of Brexit. No matter where an organisation is based or manages, stores or processes personal data relating to EU clients, prospects or employees, it must still abide by the Act or risk very substantial fines.
“The current Data Protection Act was drawn up at a time that pre-dated widespread use of Smartphones, social media or indeed the Internet itself,” says Mr Collard. “Suggesting that we adopt the old Act as our fall-back position is akin to using veteran car laws to control modern motorway traffic.”
17 years ago less than 1% of Europeans used the internet. Today, vast amounts of personal data are transferred and exchanged across continents and around the globe in fractions of seconds.
In a digital age, the collection and storage of personal information are essential. Data is used by all businesses – from insurance firms and banks to social media sites and search engines. In a globalised world, the transfer of data between countries has become an important factor in daily life. There are no borders online and cloud computing means data may be sent from Berlin to be processed in Boston and stored in Bangalore.
Data protection has become hot news in the mainstream media. Something that was once regarded as a ‘good thing to have’ ranking alongside health and safety and risk assessments in the brains of board directors and as a topic the public anecdotally understood to mean not selling on their email address without permission, has now become a mainstream media topic.
Whereas once, journalists needed to research to discover names of companies affected by data breaches in order to give their stories relevancy to a mainstream readership, it’s now only too easy to come up with a list of global businesses that are household names affected by data breach.
In turn, the severity of those breaches has multiplied exponentially. What was initially a minor inconvenience for the PR department to diffuse has now become a national or even international scandal capable of bringing a corporation to its knees.
And plans to make directors personally accountable means that personal penalties are more than an embarrassing interview or a tactical management reshuffle –personal financial ruin is a very real prospect.
“There’s still a mountain to climb in simply getting organisations to be aware of their new obligations,” adds Mr Collard. “Our survey shows that 38% are still not aware of the new rules and fewer still (14%) have planned their compliance. That’s especially disturbing when we know that almost all (93%) of the public surveyed were in favour of big fines for organisations flouting the rules on protecting personal data. This is significant because under the new legislation if the public chooses to withdraw consent for organisations to process their personal data those organisations will be obliged to delete all related information.”
Two-thirds of people (67%) are concerned about not having complete control over the information they provide online.
Outsourcing data processing offers no escape from the law – you will still be liable for its security. Plus data processors will also share liability for compliance – something many of them don’t currently appear to understand.
Seven people out of ten worry about the potential use that companies may make of the information disclosed.
Nearly nine out of 10 finance workers employed by Wall Street investment banks in Europe are based in the UK. And close to 80 per cent of all the money raised on capital markets in the region are done so through London (Times). So from a financial perspective, it’s the job of the FRC (Financial Reporting Council), the FCA (Financial Conduct Authority) and the Bank of England’s own PRA (Prudential Regulation Authority) to show the world that the UK continues to be first choice and a safe place to do business.
We need to be extra-vigilant in ensuring that London is squeaky clean from risk.
Richard McCann is a writer, author and broadcaster. Ian Collard is managing director of who are retained on cyber threat, data protection, identity and access management matters by British and European organisations including banks, city councils, the police and other insurance, government and retail sector clients.
Identity Methods’ new book ‘European Data Protection Legislation – What it Means to You’ is available from Amazon and as a download from www.IdentityMethods.co.uk