The Brexit transition period is over. But confusion about what needs to be done to protect customer privacy, and avoid data protection fines, is not. In 2020 the Information Commissioner's Office recommended that businesses put data protection safeguards in place prior to the UK’s exit from the EU. However, uncertainty led many organizations to opt for a ‘wait and see’ approach. The result, now that Brexit has happened, is that they are unprepared to safeguard themselves, or their customers.
However, the blame for this should not fall solely on the shoulders of businesses. They have been waiting for tangible guidance from the UK government, who have failed to provide the clarity that is desperately needed. But, regardless of who should be held responsible, companies still need to adapt to new, post-Brexit rules to remain compliant. This is essential for protecting customer data and should be a core focus for all businesses over the coming months, and particularly those who have faced challenges in this arena in the past.
A checkered data protection past
Most businesses, regardless of the sector they are in, collect sensitive data. Many, however, were not fully equipped to protect it even before Brexit. The financial services industry is a prime example. Financial companies are trusted with a broad range of personally identifiable information (PII) – from national insurance numbers to banking details and even home addresses. But worryingly they lack the knowledge and resources to effectively address the privacy risks, according to research from Accenture. The regulatory challenges associated with Brexit only compound this issue. As such, businesses must turn their attention to how they can build a well-rounded, privacy-first culture that will facilitate customer trust and comply with new regulatory requirements.
Realities of a post-Brexit world
Now that we have Brexited, the UK has established its own version of General Data Protection Regulation (GDPR). However, guidance on how this differs from GDPR and what these changes mean for businesses has been thin on the ground. What’s more, while the UK has confirmed it will allow the free flow of data from the UK to the EU, the EU is yet to do the same through an adequacy agreement. This has placed a question mark over how businesses should approach storing and processing the data of EU employees and customers. In short, uncertainty still reigns supreme.
If an adequacy agreement is not reached, companies will need to rely on Standard Contractual Clauses (SCC) or Binding Corporate Rules (BCR) to facilitate data transfers. Unfortunately, neither are viable options across the board. SCCs are superseded by surveillance laws, and BCRs are too time-consuming and costly for smaller organizations. Consequently, businesses could find themselves in a position where they send data to the EU and do not receive it back; an impossible scenario for any company that relies on ongoing transfers of sensitive data.
To add to the complication, even if the UK is approved by the European Commission as an ‘adequate’ third country in the next six months, cross-border data flows will always be a looming issue. This is because the EU Data Protection board can review and revoke the decision at any time.
To put themselves in the best possible position in the midst of this uncertainty, banks should follow Forrester’s recommendations; analyzing how a lack of an adequacy decision will impact their data transfers and ensuring they are best prepared.
Rebuilding customer trust
Whilst the uncertainty around post-Brexit data regulation is frustrating, businesses should view it as an opportunity to reset. There is work that needs to be done to rebuild customer trust that has been eroded by a perceived disregard for data privacy. In fact, three-quarters of UK consumers report being concerned about sharing their personal data with companies, according to research from Esomar and Here Technologies. 89 percent also believe the current laws and regulations are not sufficient to ensure their personal data is not misused. By using Brexit as an opportunity to rethink approaches to data protection, businesses can address these concerns and demonstrate their data protection measures are sound.
Putting privacy and security first
A smart, new approach to data privacy involves embedding data protection rules into IT infrastructure. This automates compliance so businesses have control and visibility over what is happening to customer data at all times. This type of solution is cost effective and delivers significant ROI. It will save teams thousands of hours in auditing, freeing up resources to focus on customer care and support. It also lays the foundation for a robust but low-lift data management strategy which will safe-guard customer data now and when the post-Brexit regulatory framework becomes clearer.
Commencing a data privacy reset is daunting for many organizations. However, the good news is that overhauling your approach to privacy does not always require a big financial investment. The most critical step is a change in mindset. This means putting the privacy and security of customer data at the heart of their strategy and embracing technology that facilitates this.
Future-proofing data protection for an unpredictable post-Brexit world
Even though Brexit has taken place, the exact shape of UK data protection regulation is still uncertain. A key focus for the government is securing an adequacy agreement that will facilitate the free, secure flow of data. But businesses cannot afford to ‘wait and see’ while this is settled. To ensure that customer data is protected, businesses should view Brexit as an opportunity to reset and enhance data protection practices. This means building a privacy-centric culture; one that prioritizes having an effective data protection strategy in place. This is the key to successfully navigating the uncertain regulatory environment and, just as importantly, rebuilding customer trust.
Rich Vibert, CEO and Co-Founder, Metomic