Navigating Brexit and GDPR

Paul Rowley FBCS CITP offers his personal views on what General Data Protection Regulations (GDPR) will mean for businesses and how organisations can ensure they prosper as the UK renegotiates its place in Europe.

Back in April, I was keeping an eye on the news. As a football fan and a human being, I was watching Theresa May make her statement in Parliament about Hillsborough and as a Data Protection Officer, I was searching for news about the European Parliament adopting the General Data Protection Regulations (GDPR) which replaces the 1995 directive that most of you will recognise as the Data Protection Act 1998.

Change is coming

Why replace it? Four years ago, the EU realised that a single harmonised framework for data protection was the way forward rather than the patchwork quilt of legislation that largely met the minimums of the 1995 directive, but also reflected the very specific attitudes of each member state.

It will be in force from May 2018 and it should really be a ‘wake-up call’ for every organisation in Europe. What does it all mean? Well, if you do data protection badly, the GDPR can be a huge threat to your business with huge penalties. However, I would say that if done well, it can take your business further, can improve customer satisfaction and even improve your bottom line. You know, for too long data protection has been seen by business as a nuisance, an unnecessary and therefore an unwelcome layer of bureaucracy. I want to show you how the GDPR makes complete sense to anyone who wants their organisation to benefit from holding personal data.

Reality check

It is simple really. There are three general reasons for holding personal data - 1) To service the contract you have with customers, 2) To invite them or others to buy more from you or 3) To make better decisions about where you take your business.

Similar to the existing Data Protection Act, the GDPR has some basic principles. They simply state that you should only collect what you need and make sure it is for a legitimate purpose. You should also be open and transparent. Holding personal data is a bit like ‘A Dog Isn’t Just For Christmas’ in that you have an ongoing commitment to that data for as long as you keep it. If you need to keep it, you must keep it up to date regularly. If you do not need it any longer, then you must delete it. You need accurate data to service your contracts, get more business and make those better decisions. So the GDPR is only really making you think more about the personal data you hold, but the outcome is actually in your favour.

Your customers provide their personal data to you and some it you can demand, the stuff that is necessary to service the contract you have with them, the rest is discretionary. All of it must be offered freely and this means that they must trust you with it. If you stop and think about it, you are the curator of a museum. If you were given lots of Ming vases for your collection but kept breaking them, do you honestly think you would be given many more? Nope. Those Ming vases are clearly valuable items, but the personal data that you care for on behalf of your customers also has a value and they wouldn’t keep giving you their personal data because the trust would not be there if you abused it or did not look after it. All you have to do is to keep that personal data safe and treat it with respect. So, the idea of value of personal data intrigues me.

Time for a valuation

Hopefully, we all have finance departments. Teams of people who specialise in understanding where money enters the business in the form of income, what it does while it’s there, and where it leaves in the form of expenditure. Transactional data is recorded and reconciliations are carried out to ensure that we can all comply with accounting practices. Why? Money has a value. There are accounting rules that we must follow but there is an entire ‘culture’ that exists that is based on the value of money. For years, personal data has been treated as a freebie by organisations and not truly appreciated by the data subjects whose data it is.

Many of you will engage with consultancies and auditors to prepare for GDPR, and indeed I would recommend that you do, fairly quickly. These new regulations are not going anywhere and you should not put your head in the sand. That will make sure you follow ‘the rules’ and you will almost certainly end up with a gap analysis and an action plan. But, what you need is to promote the ‘culture’ that goes with it. You need to change the way your teams think about personal data and understand the value of it. When you train people in data protection legislation, ask them what they medical history is worth. Ask them what would happen if that was leaked. How would they feel? Could they put a price on it? Ask them what assurance they would expect from an organisation.

Brexit

Back to the GDPR, I have been concerned by the number of people, some of whom are Data Protection practitioners, who have told me that as the UK is leaving the European Union, there is no point preparing for GDPR because we would no longer be subject to it. Well, timing is an issue for a start as the UK would still be a member of the EU in May 2018, even if we had signed Article 50 already so we would need to be compliant, although this is all in the air subject to the negotiations.

With a wider view, there is the Digital Economy Bill that is going to Committee Stage in October on its way to Royal Assent as early as February 2017. The bill is designed to create the right environment for the increased use of digital technologies in the UK. But, a healthy market comes from two things - supply through availability of broadband, etc. and that assurance again. If people feel that the law is not able or willing to appreciate the value of their personal data, then we will fail to build a digital society no matter how quick your broadband connection is. We would therefore need some legislative assistance in giving everyone that level of assurance which would be akin to GDPR because the existing DPA is from a time before social media and cloud technologies that are oblivious to borders.

In Europe, they are building a Digital Single Market. The GDPR is designed to give the assurance needed. Regardless of our relationship with Europe post-2019, we want the UK IT sector to take advantage of opportunities in Europe and therefore we will need to follow GDPR.

Something to think about

For your own organisation as well the wider community, digitalisation is advanced through the application of technology but also the assurance for your customers and potential customers. It should not require GDPR to enable this, but it is a jolly useful imperative to get buy-in from your Boards.

Those fines are there to penalise the naughty but also to bring about some real change in the way everyone thinks about personal data. Your organisation can really benefit from re-thinking how it manages personal data and how it could be innovative. When your customers give you their personal data and they have assurance, they want you to use it in ways to help them, to make their relationship with you special.

Find out more information on Brexit

Comments (8)

Leave Comment
  • 1
    Marc Low wrote on 20th Oct 2016

    Good post Paul – honest and informative, and refreshingly positive about the coming changes in DP and privacy laws, which makes a change considering all the doom and gloom that gets said about it. I really do think these changes are well overdue. We shouldn’t see this all as a ‘chore’ but rather an ‘opportunity’. And we can ALL benefit from applying the new regulations to our organisations’ policies and operations. You’re so right – it is all about enhancing good customer relationships, gaining their trust & respect and making the relationship “SPECIAL”, which in turn promotes sustainable business. BRING IT ON!

    Report Comment

  • 2
    Ian Jarvis wrote on 21st Oct 2016

    Many business will see this as another cost burden at a time of great uncertainty, but this post defiantly delivers a positive vibe because increase satifatction drives loytaly and advocacy. Which should lead to increase business benefits - nice post Marc.

    Report Comment

  • 3
    Andrew Cranmer wrote on 21st Oct 2016

    Unless I am wide of the mark GDPR is already law as of 25 May 2016. It becomes enforceable with penalties from 25 May 2018. Therefore, once the bill moving all EU law into U.K. Law is passed it will be UK law. It would then have to be removed from the legislation for people not to have to comply. Also if we store the details of EU citizens we will have comply anyway to trade with EU countries. Unfortunately for naysayers the law makes sense, we should protect the data we hold so I doubt there will be any desire from Government to relax this law once they are able to. We need to stop wasting time looking for ways to avoid GDPR and create better systems and applications for dealing with it safely. The business benefits will be increased public confidence and the ability to use those same layers of protection to secure our confidential and proprietary information, enabling our businesses to remain competitive.

    Report Comment

  • 4
    Hope S wrote on 25th Oct 2016

    Good post, very informative and well explained. I wonder, will BCS update its Data Protection certification and add GDPR? Any plans in the near future for any DDPR certifications?

    Report Comment

  • 5
    Adrian Winckles wrote on 11th Nov 2016

    Very good post, well balanced and very worthy of being disseminated further - Adrian

    Report Comment

  • 6
    Angus McAllister wrote on 11th Jan 2017

    A refreshing take on GDPR, focusing on the upside of compliance in the light of an increasingly savvy public of data subjects. Without trust, business cannot function effectively, and the GDPR takes a lot of the friction out of establishing that for personal data.

    Report Comment

  • 7
    Dave Allen wrote on 4th Sep 2017

    Not sure if this is the right place to post (GDPR question)

    I am interested in opinion on encryption of database columns containing personal identifiers. From a development perspective this sounds problematic especially in the area of DB indexing/searches.

    I have customers and associated developers considering this and would like to canvass opinion.

    My personal feeling is that application/database security is sufficient here as physical access to a server probably located in a data center may be required to compromise the security of the data.

    If there is a better place to open a discussion on this subject could you please direct me to this. I had a quick look through the communities and there didn't seem to be any likely candidates

    Thanks in advance
    Dave

    Report Comment

  • 8
    Brian Runciman wrote on 4th Sep 2017

    @Dave
    Interesting question Dave - could I suggest you start a conversation on our new BCS Voices area? https://voices.bcs.org/ Could be a good place to get a few views... Brian

    Report Comment

Post a comment

Search this blog

November 2017
M
T
W
T
F
S
S
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30