What to retain from the GDPR after BREXIT
by Tara Taubman-Bassirian
In Decembre 2016, Infosecurity magasine titled “Over Half of Global Firms Still Not Progressing with GDPR” reporting :
“GDPR is the most significant change to data protection in a generation and an imminent global issue that will dominate data privacy, management and regulation discussions in 2017,” said Mike Palmer, executive vice-president at Veritas. “To avoid potential regulatory fines or worse, damage to their corporate brands and reputations, global enterprises must take action now to understand where their data resides and how to protect it.”
Since the UK referendum vote for BREXIT much has been speculated about the situation of the UK with regard to compliance to the GDPR enforceable from 28 May 2018. Although they are uncertainties, the recent UK Information Commissioner speech has reinforced the opinion that UK businesses need to get ready to comply.
The GDPR has significantly raised the bar for compliance. Fines can go up to €20 million or 4% of annual global turnover. Organisations had two years to be ready. Shortage of Data Protection Officers was predicted. After an initial period of panic, the summer 2018 was rather quiet, many organisations were expectative waiting for the enforcement of the regulation.
The new EU data protection law, non sector-specific, is technologically neutral and all types of organisations are affected.
According to Recital 22; Art.3(1), the GDPR applies to organisations that are established in one or more Member State and process personal data in the context of that establishment.
Recital 23 Art.3(2)(a) adds :
- The GDPR applies to organisations established outside the EU if they process data of EU residents when offering them goods or services.
Finally, Recital 24 Art.3(2)(b) states :
The GDPR applies to organisations established outside the EU if they monitor the behaviour of EU residents.
What justifies compliance ?
- Because UK businesses will need to be compliant to continue to trade with the rest of the EU.
- Because gaining customers trust is important.
- Data breach notification cannot be neglected, the organisation’s reputation can be badly hurt.
- So much can be gained, from Big Data, geolocation data, IoT, etc… Privacy should be seen as an asset and not just a burden.
- Marketers would benefit from accurate data instead of bulk out of date or inaccurate data collection .
- Making privacy and data protection an asset could be the future of Big Data.
Collecting and legitimately processing data with respect to the 8 principals, incorporated into Chapter 2, Article 5 (1) (a)-(f). are the future of data industry :
- storing data for a limited period or only where necessary,
- keeping data accurate and adequate,
- processing lawfully, fairly and in a transparent manner, with purpose limitation,
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage,
- using appropriate technical or organisational measures,
Here is my compilation of all various opinions and analysis of the situation:
- to better understand what is required by the GDPR,
- The UK and the GDPR after BREXIT,
- The Working Party ARticle 29 position,
- Opinions of Privacy experts,
This work is licensed under a Creative Commons Attribution 4.0 International License.