U.K. information security and risk management professionals regularly ask me how the General Data Protection Regulation (GDPR) will impact the U.K.
This new E.U. regulation is not yet enforced and, given that the U.K. is leaving the E.U., does this law matter?
After talking to data protection officers, whose job is to meet the GDPR’s requirements around “robust breach detection and investigation,” the answer is yes. They are able to see through the will-we, won’t-we fog of Brexit and draw a vivid picture of what U.K. consumer data safety will be not just tomorrow but beyond the U.K.'s nascent departure from the E.U.’s binds.
The GDPR requires organizations that handle a set quantity of consumer data to appoint a DPO to coordinate initial and ongoing compliance with the regulation. An interesting initial observation on what U.K. companies think about the regulation’s future is the prevalence of the DPO role in the U.K. compared to Europe’s major economies. The U.K. has the most DPOs, according to a LinkedIn query that searched for people in the U.K. and Europe who hold that job title. There are 934 DPOs, followed by Germany with 794 DPOs or Datenschutzbeauftragters, according to the query. Also, between December and now the variance in the volume of LinkedIn members with the DPO title went up by 5.4 percent in the U.K., from 886 to 934 today.
As limited and imperfect as these stats are, they are a quantitative indication that the U.K. is not only equipped with more DPOs than any other E.U. country, but is increasing its volume, presumably to assist with hitting the May 2018 GDPR deadline. Clearly there is still commitment to the regulation.
DPOs cite three key dynamics as to why U.K. companies are still ramping up to meet GDPR compliance and Brexit is of no consequence to the regulation, short, mid or long term.
There is no single risk for the cost of failure dynamic, the risk is spread across three separate spectres:
The unassailable facts are that we will 100 percent be in the E.U. until at least the end of March 2019 and GDPR commences May 2018. This commits us to an absolute minimum of 10 months of compliance. This assumes there is no delay to get Article 50 through parliament by the end of March and that is looking tight as of now! However, ever since the referendum passed, U.K. business has been lobbying for a transition arrangement to ease the negative consequences of Brexit. Now that need has been put into the UK’s government's stated negotiating objectives. A transition arrangement would almost certainly see the U.K. comply fully with E.U. regulation and it is not without reason to suggest that the U.K. will remain within a transition agreement beyond 2020.
Furthermore, to keep trading with the E.U. under any form of single market access arrangement we would absolutely require compliance with GDPR verbatim. The obvious question is what would happen if the U.K. walked away from the single market altogether and converted into a tax haven as the government's threats go? If U.K. businesses took this as their green light to not care about GDPR then they would have to be pretty sure they did not have a market in Europe as any attempt to trade without an adequate level of security would certainly hit non-tariff barriers. So the concept of adequacy is key in most DPO's minds.
Why would it not? Conversations with the DPOs of major organizations that have built out senior U.K. government contacts have impressed to me that top mandarins and ministers alike are thrilled with GDPR. They see the daily news full of hacks. They think GDPR is the spine that the U.K.'s Cyber Essentials program didn’t have. They think that it is absolutely fantastic that the regulation is applied across the entire E.U. trading bloc in a single hit. So the probability of the U.K. not translating GDPR regulation into U.K. legislature after our departure from the E.U. is very unlikely. It is just too easy to say yes given that it will already be de facto in 2018.
So with the above explored, it would seem that major U.K. businesses recognize the need to comply with GDPR or equivalent regulations that may be instituted by the U.K. government after Brexit. There may be less mature organizations that are going to take their chances and have successfully dodged many regulatory bullets for several years. But GDPR is a pretty big bullet when you put the risks in perspective.
The fact is that no consumer ever goes onto a website, selects goods, hits checkout and clicks an acknowledgement that they understand their personal data may end up in the hands of cyber criminals. As a consumer, as well as security professional, I’m personally very glad to see that U.K. companies remain on plan to make a radical change for the better through some long overdue and very sensible regulation.