One motivation for the Brexit vote was freedom from compliance with EU regulations, which apply comprehensively throughout Member States of the union. So, post-Brexit, U.K. companies should, in theory, no longer be obliged to follow regulations like the General Data Protection Regulation, the European Union’s new comprehensive privacy law that will apply to all EU Member States beginning in May 2018.
The catch, however, is that the GDPR boldly applies to companies outside the EU who gather the personal information of EU citizens. This means even if the U.K. leaves the union, its companies will need to comply with the GDPR to the extent they do business with EU consumers.
This likely explains why, in an IAPP survey of privacy professionals at more than 200 U.K. organizations, a convincing 94 percent report they are preparing for the EU’s GDPR even though the U.K. will need to have its own data protection law after it leaves the Union. Only 6 percent say they are waiting to see what post-Brexit data protection laws will be in the U.K.
Investing in Accountability, Training and Technology
Among those privacy professionals preparing for the GDPR, the primary focus is being able to demonstrate their compliance from the outset. Over two-thirds of those surveyed are creating a new internal privacy accountability framework. This means establishing or upgrading privacy programs, putting additional data protection mechanisms and policies in place, and potentially defining consequences for employee non-compliance.
Well over half, 58 percent, are investing in privacy training for their staff and employees.
In a nod to the exploding new field of privacy-related technology, nearly half of U.K. privacy professionals are preparing for the GDPR by investing in new technology.
U.K. companies are also diligently complying with Article 30’s obligation to appoint a data protection officer, with approximately 4 out of 10 respondents saying they are naming one. The IAPP has predicted that at least 28,000 new DPO roles will be needed in Europe alone – 75,000 globally – to comply with Article 30 of the Regulation. The U.K. seems to be heeding the advice of the Article 29 Working Party to err on the side of interpreting Article 30 broadly in DPO appointment decisions.
Although privacy budgets have long lagged behind security budgets, there’s good news for privacy teams in this survey: Thirty-eight percent of our U.K. survey respondents will see increases in their privacy budgets in anticipation of the GDPR, while 36 percent are adding privacy staff.
Privacy professionals are also encouraging others in their organization to get certified in privacy – 30 percent say this is in the works for the GDPR. The IAPP’s primary certification for those seeking to demonstrate GDPR knowledge is the Certified Information Privacy Professional/Europe (CIPP/E), which, when matched with the Certified Information Privacy Manager (CIPM) credential makes a powerful combination for those seeking DPO positions.
Finally, one in four U.K. privacy professionals plans to use a consulting firm as part of their GDPR compliance strategy – more than the 16% who will be looking to law firms.
The GDPR’s Toughest Requirements
Anyone who has read the voluminous GDPR document – including its Recitals and Articles – knows that wading through it once is hard enough. But turning its provisions into action within the firm will not be easy, and the U.K. privacy professionals we surveyed seem to have a healthy respect for the challenge they face.
On a scale of 10, our respondents named the “right to be forgotten” as the most difficult compliance lift, with a ranking of 6.8. Data portability was second on the lists, scoring 6.5.
Research must be an important use of personal information in the U.K. because those surveyed ranked it third–6.4 – followed closely by “gathering explicit consent” as the fourth most difficult compliance lift (6.3), with profiling restrictions and breach notification tying for fifth place with a 6.0 score.
Cross-border data transfers drew a 5.6/10 difficult score. After Brexit, transfer of EU citizens’ data to the U.K. will become more meaningful to U.K. companies and could become more difficult, depending whether their post-Brexit data protection laws are deemed “adequate” under the GDPR.
Among other issues of concern, in decreasing order of difficulty, are privacy impact assessments (5.4/10); understanding the legal term “legitimate use” under the GDPR (5.1); understanding how data protection authorities will enforce the GDPR (4.9); understanding the GDPR’s jurisdictional scope (4.8); and finally, implementing the DPO requirements (4.6).
GDPR compliance is a challenge companies face all over the world as the clock ticks down to May 2018. In the U.K., it seems, privacy professionals are leaning into the wind to get the job done and are not waiting to see what Brexit will bring.
The full IAPP study is accessible here.
Image Credit: Billion Photos / Shutterstock