As Brexit slowly begins to become a reality, there are worrying signs that British businesses are cancelling vital data protection reforms - in the mistaken hope that rules will change once the UK has left Europe.
The UK vote to trigger Article 50 came shortly after politicians across the continent ratified the EU General Data Protection Regulation (GDPR), following years of negotiations. This legislation, which has been in the pipeline for the best part of a decade, is designed to harmonise data protection regulation throughout Europe and provide citizens with more control over their personal data. It has been backed by the UK and is due to come into force in May 2018 – almost certainly before Britain completes its exit from Europe.
Despite that fact, all the signs are that businesses across the country are delaying, postponing or even cancelling preparations in a mistaken belief that the regulation may not apply once Britain has finally left Europe.
At Crown Records Management we commissioned a survey to poll IT decision-makers at UK companies with more than 100 employees, looking at attitudes to the forthcoming regulation. It produced some very uncomfortable results and showed for example that:
- 24 per cent have cancelled all preparation for the regulation.
- A further 4 per cent have not even begun preparation.
- 44 per cent think the regulation will not apply to UK business after Brexit.
Some of those figures should come as a shock to the business world – especially those in outsourcing where keeping track of data is an extra challenge - and act as a wake up call. However, the survey showed wide differences in results across different sectors and different regions – indicating that Britain is pretty confused about how to respond to the new regulations.
- The number of businesses cancelling preparations was as high as a third in the banking sector.
- But in the insurance sector – and in the legal sector - not a single respondent had cancelled preparations. For those in the pharmaceutical sector it was only 4 per cent.
- As many as 55 per cent in banking think the regulation will not apply to UK businesses after Brexit.
- This figure was only 15 per cent for those in insurance.
This picture was played out across the country with vast differences in how different regions are preparing:
- In Birmingham and in Norwich half of those polled had cancelled preparations for the EU General Data Protection Regulation because of Brexit.
- But in Sheffield nobody said they had cancelled preparations.
- In Belfast a massive 79 per cent believed the EU GDPR would not apply after Brexit.
- In Sheffield the figure was only 15 per cent.
These variations may be of particular concern when services are outsourced but they should be a worry for every type of business in every sector.
It’s good to see many businesses are aware of the importance of keeping up with new legislation and are on top of updating their data protection polices. But for so many to be cancelling preparations is a problem because this regulation is going to affect them all in one way or another. Firstly, it is likely to be in place before any Brexit. Secondly, although an independent Britain would no longer be a signatory it will still apply to all businesses which handle the personal information of European citizens.
`When you consider how many EU citizens live in the UK it’s hard to imagine many businesses here being unaffected - especially in the outsourcing industry. It is important to understand first of all that the underlying principles of the EU General Data Protection Regulation have not been questioned by the UK – in fact UK officials and politicians were heavily involved in the drawing up of the new regulation and we have some of the most stringent data regulation in the world here already. The reality is we are likely to continue to see stringent data protection in an independent UK rather than a watered-down version.
In fact our survey revealed that at least half of companies saw Brexit as an opportunity for Britain to position itself as the safest place to do business through even more robust legislation. So there is certainly a possibility that the data protection future in the UK will be even more heavily regulated. This means the best course for every business is to prepare now and have a watertight information management system in place as soon as possible. This issue is not going away and to ignore it and hope that Brexit will somehow absolve companies from requiring watertight information management policies is a mistake.
The new regulation will bring in huge new fines for data breaches – as high as 20 million euros or up to 4 per cent of global turnover for the most serious offences – and that should be enough to focus minds. There will also be strong guidance on how quickly a breach should be reported and a heavy emphasis on providing citizens with greater control over their personal data. Businesses need to consider now whether they know what data they are holding, where it is and how easy it will be to edit or delete – and Brexit is not going to save them from that responsibility.
There was some good news from the Crown Records Management Survey, however. It also revealed that:
- 70 per cent of businesses with more than 100 employees have already appointed a data protection officer, one of the requirements of the EU GDPR.
- Half have introduced staff training and only 4 per cent do not plan to.
- 72 per cent have reviewed data protection policies.
- 44 per cent have undertaken an information audit.
These are important statistics, particularly when it comes to staff training because a vast majority of data breaches are down to human error. But the overall picture is that many businesses are holding back on preparations for the EU General Data Protection Regulation – and that should be addressed. For British businesses to thrive in the new data era, there is no room for confusion: having a robust data protection and information management system in place is absolutely vital.