U.K. information security and risk management professionals regularly ask me how the General Data Protection Regulation (GDPR) will impact the U.K.
This new E.U. regulation is not yet enforced and, given that the U.K. is leaving the E.U., does this law matter?
After talking to data protection officers, whose job is to meet the GDPR’s requirements around “robust breach detection and investigation,” the answer is yes. They are able to see through the will-we, won’t-we fog of Brexit and draw a vivid picture of what U.K. consumer data safety will be not just tomorrow but beyond the U.K.'s nascent departure from the E.U.’s binds.
UK companies are still hiring DPOs
The GDPR requires organizations that handle a set quantity of consumer data to appoint a DPO to coordinate initial and ongoing compliance with the regulation. An interesting initial observation on what U.K. companies think about the regulation’s future is the prevalence of the DPO role in the U.K. compared to Europe’s major economies. The U.K. has the most DPOs, according to a LinkedIn query that searched for people in the U.K. and Europe who hold that job title. There are 934 DPOs, followed by Germany with 794 DPOs or Datenschutzbeauftragters, according to the query. Also, between December and now the variance in the volume of LinkedIn members with the DPO title went up by 5.4 percent in the U.K., from 886 to 934 today.
As limited and imperfect as these stats are, they are a quantitative indication that the U.K. is not only equipped with more DPOs than any other E.U. country, but is increasing its volume, presumably to assist with hitting the May 2018 GDPR deadline. Clearly there is still commitment to the regulation.
Why GDPR compliance is still necessary, regardless of Brexit
DPOs cite three key dynamics as to why U.K. companies are still ramping up to meet GDPR compliance and Brexit is of no consequence to the regulation, short, mid or long term.
1. Far too expensive to get it wrong
There is no single risk for the cost of failure dynamic, the risk is spread across three separate spectres:
- 4 percent global revenue or €20 million in fines - Perhaps a big risk? However, most organizations assess risk by experience internally and externally and few have actually been fined by this magnitude to qualify the risk as real. In fact, the Information Commissioner’s Office (ICO) pursuing fines on this basis may prove counterproductive for society by virtue of increasing unemployment queues due to most firms being unable to sustain such a hit. Time will tell what magnitude of fines the ICO will issue, but the majority of DPOs I've spoken with do not consider this to be the be all, end all risk. It is just the easiest to describe
- Consumer decision making influence - Absolutely a risk. Consumers with finely balanced decisions to make between similar suppliers are well known to be influenced by breaches reported in the media, and mandatory public breach notification is exactly what GDPR is all about. Think about the loss of 100,000 customers for TalkTalk after their well covered breach. Catastrophic risk.
- The litigation industry - aka PPI Part Deux? The emerging spectre that sits on the back of mandatory breach notification is the distinct possibility of a new litigation industry. One that reaches out to consumers to fight 'no win, no fee’ battles for 'maybe' being the unfortunate victim of having their personal data unsafely handled. In fact, it’s well known in DPO circles that a number of litigation firms are ramping up hiring to maximize this beckoning market opportunity. For this reason many of the DPOs I’ve spoken to have said that one of the toughest parts of the puzzle they are putting together is a response strategy to this risk. They say that it is not just the expense of litigation defense itself, or payouts that ensue. It is as much the risk of creating a huge distraction and burgeoning staffing expense for security operations that could be forced to launch investigations per claimant. IT departments understand all too well how painful this risk could be through the many hours of overtime they have had to sanction to run data backup recoveries to comply with Data Discovery Orders over the years.
2. Overlap, transitional arrangements and adequacy
The unassailable facts are that we will 100 percent be in the E.U. until at least the end of March 2019 and GDPR commences May 2018. This commits us to an absolute minimum of 10 months of compliance. This assumes there is no delay to get Article 50 through parliament by the end of March and that is looking tight as of now! However, ever since the referendum passed, U.K. business has been lobbying for a transition arrangement to ease the negative consequences of Brexit. Now that need has been put into the UK’s government's stated negotiating objectives. A transition arrangement would almost certainly see the U.K. comply fully with E.U. regulation and it is not without reason to suggest that the U.K. will remain within a transition agreement beyond 2020.
Furthermore, to keep trading with the E.U. under any form of single market access arrangement we would absolutely require compliance with GDPR verbatim. The obvious question is what would happen if the U.K. walked away from the single market altogether and converted into a tax haven as the government's threats go? If U.K. businesses took this as their green light to not care about GDPR then they would have to be pretty sure they did not have a market in Europe as any attempt to trade without an adequate level of security would certainly hit non-tariff barriers. So the concept of adequacy is key in most DPO's minds.
3. UK government simply thinks GDPR is great
Why would it not? Conversations with the DPOs of major organizations that have built out senior U.K. government contacts have impressed to me that top mandarins and ministers alike are thrilled with GDPR. They see the daily news full of hacks. They think GDPR is the spine that the U.K.'s Cyber Essentials program didn’t have. They think that it is absolutely fantastic that the regulation is applied across the entire E.U. trading bloc in a single hit. So the probability of the U.K. not translating GDPR regulation into U.K. legislature after our departure from the E.U. is very unlikely. It is just too easy to say yes given that it will already be de facto in 2018.
UK businesses will have to comply with some type of data protection regulation
So with the above explored, it would seem that major U.K. businesses recognize the need to comply with GDPR or equivalent regulations that may be instituted by the U.K. government after Brexit. There may be less mature organizations that are going to take their chances and have successfully dodged many regulatory bullets for several years. But GDPR is a pretty big bullet when you put the risks in perspective.
The fact is that no consumer ever goes onto a website, selects goods, hits checkout and clicks an acknowledgement that they understand their personal data may end up in the hands of cyber criminals. As a consumer, as well as security professional, I’m personally very glad to see that U.K. companies remain on plan to make a radical change for the better through some long overdue and very sensible regulation.
