Wake up call on cost estimate to UK business from EU GDPR

eulaw

The EU General Data Protection Regulations (GDPR) which are already in force, become law formally from 25th May 2018.  Many businesses have not started to take countermeasures to review their data protection.

Recent analysis published by the Payment Cards Industry Security Standards Council (PCI SSC), using survey figures from the Office of National Statistics, suggested that there were 2.46 million ‘cyber incidents’ in 2015.  If the Information Commissioner’s Office (ICO) were notified of every breach and imposed the maximum penalty, this would result in large organisations facing fines totalling £533m and SMEs having to pay £908m under the existing data protection laws.

Under the new GDPR law this would result in a truly massive hike in financial penalties for the same offences – triggering fines of £70bn for major organisations and £52bn on SMEs.

These estimates are based on a maximum fine being levied on day one of the breach under the rules and each national information commissioner is likely to be more lenient in the early stages of EU GDPR implementation.  Added to this, following Brexit, the UK data protection legal landscape and penalties have yet to be defined. However, businesses operating internationally nonetheless have to work within the GDPR framework and many are now starting to appoint data protection officers.

The message is clear – businesses cannot afford to dally.  Whatever the size, all organisations need to start their preparations now.  Companies should conduct reviews to understand and map their data and put in place robust standards and procedures around the management of data to counter any cyber security threat.  Only by taking these steps can organisations seek to avoid the increasingly overwhelming size of fines that could legitimately be imposed.

Blog – Safe Harbour 2.0 Gets The Greenlight

Privacy_Shield_Datenschutz-595x440   ansip-b-001

The next major raft of data legislation kicked into effect on 12th July 2016, with the European Commission’s official adoption of the EU US Privacy Shield framework.  These measures will ensure the protection of EU citizen data in its transfer to the United States.

“We have approved the new EU-US Privacy Shield today. It will protect the personal data of our people and provide clarity for businesses,” said Andrus Ansip, the EC’s Digital Single Market VP.

“We have worked hard with all our partners in Europe and in the US to get this deal right and to have it done as soon as possible. Data flows between our two continents are essential to our society and economy – we now have a robust framework ensuring these transfers take place in the best and safest conditions”.

Known as Safe Harbour 2.0, this agreement will help firms to move personal data either side of the Pond without breaking strict EU data transfer rules.  After many re-drafts, the EC believes the new framework is now robust enough to protect the data of European citizens.

Obligations and compliance overseer
The US Department of Commerce will be the body responsible for checking that those companies participating who have signed up to the framework, are duly following the rules.  Failure to do so will result in them facing sanctions and being struck off the list.  Additionally, the same levels of protection will apply to any personal data that is forwarded by third parties.

Safeguards and transparency around US government access
The EU has been assured that public authorities access for law enforcement and national security remains subject to clear limitations, safeguards and oversight mechanisms.  The US will not be allowed to undertake indiscriminate mass surveillance of personal data of EU citizens and every EU citizen will forthwith benefit from redress mechanisms.

Individual rights redress
Under the Safe Harbour 2.0, any citizen who considers that their data has been misused will be able to refer to a number of accessible and affordable dispute resolution schemes. Ideally, the complaint will be resolved by the company directly in the first instance, or free of charge Alternative Dispute resolution (ADR) solutions will be offered.

EU US annual joint review
The Privacy Shield scheme will be jointly reviewed each year annually by the European Commission and the US Department of Commerce. Their respective national intelligence experts from the US and European Data Protection Authorities will collaborate to assess all sources of information available and issue a public report to the European Parliament and the Council.

So where does this leave the rights of UK citizens post Brexit?
We need to remember that until Article 50 is signed UK citizens are still EU citizens and therefore we all benefit from these changes. In point of fact the General Data Protection Regulation (GDPR), which comes into effect in May 2018, will become law in the UK as we will still be part of the EU. Additionally, the Information Commissioners Office (ICO), has already stated that any re-draft of the UK Data Protection Act would have to take into account both the GDPR and Safe Harbour 2.0

The changes we have seen so far and the adoption of a single European Data Protection Law leads me to consider the question “Would a Global Data Protection or Global Data Transfer Regulation?” much like the International Standards help safe guard every citizen?

The ‘hokey kokey’ of the Referendum debate

graph 2

With June 23rd closing in upon us, political ping pong seems to be the order of the day.  With so many mixed messages in the market, it is difficult to see the wood from the trees.

As we are all aware this is obviously a personal decision, but I believe one that should be based upon facts not political point scoring around the pros and cons of a Brexit decision.

We are given some estimates suggesting the total economic cost of EU membership is around 11% of our annual GDP at around £200 billion.  Some say this money would be better spent on new British industries.  It is also stated that the EU is one of the world’s largest markets, accounting for 25% of global GDP.

The interesting point is that it is said that the EU is our biggest trading partner, with 45% of the UK’s exports to the EU, and 50% of all imports are from the EU.  You could argue that our membership makes us a more attractive destination for foreign investment.  Figures from 2012 show we received around £937 billion of Foreign Direct Investment, while 50%  of UK FDI is EU-related.

It is thought by ‘Brexiters’, we can independently pursue international trade deals with China, India and the US, this may well be true, but there is nothing stopping us today, or is there?

It is said that the EU has many layers of bureaucracy and regulatory issues.

I see that Nigel Farage believes we could strike an agreement with the EU that is similar to Norway’s, having access to the EU but not being bound by it.

And not to mention the most charged debate around the immigration effect on the country.

When I questioned my professional colleagues, it is very clear to me that they all have differing opinions, some to stay in and some to exit, both parties putting up convincing arguments and as far as I can see neither is wrong and there is value in both.

One thing that is understood is that we are all aware of where the EU has taken us as a country since 1972, but what will exiting deliver and where would this untrodden ground take us?    In reality, nobody knows.

map 1

I therefore question what the real issues are and whether we are being given all the correct facts, plus what are the motives? Will we ever understand what it will mean to us before we are asked to vote in 27 days time, or will we all be simply voting upon minimal information based on a favoured approach by our local MP’s – and on the basis of a set of reforms negotiated by Prime Minister David Cameron, be they weak or strong?

As an IT Managed Services Provider we could sit on the fence, however for a few of our customers, it could have major repercussions if we left the EU.

What do you think?  How might it affect your business?

The 53rd State of IT

epa05133258 A Union Jack flag flutters next to European Union flags ahead a visits of the British Prime Minister David Cameron at the European Commission in Brussels, Belgium, 29 January 2016. Cameron arived in Brussels for unscheduled talks on a Brexit referendum. EPA/LAURENT DUBRULE

Research has suggested that British technology companies are significantly in favour of remaining within the EU, but Matt Warman, Conservative MP for Boston and Skegness, told a debate about the UK’s digital future that if the sector was so passionate about that position, it should speak up and hope to influence public opinion.

“The tech community is very, very strong in the opinion [that technology] is global,” said Warman, who is also in favour of staying in the EU and is former consumer technology editor of The Telegraph and chair of the all-party parliamentary group For Broadband and Digital Connectivity.

“If you guys believe this stuff, get out there and say it. It’s a hard task for politicians because we are often not the most trusted people in the room.”

Tech and politics
He noted that US-based technology figures, such as Apple CEO Tim Cook and Mark Zuckerberg, hold strong political views as well, particularly with regards to the Republican party frontrunner Donald Trump’s hopes of becoming the next president of the USA.

Indeed, Box CEO Aaron Levie opened his keynote speech at an event in London last week to “apologise” for Trump’s views, which have proved divisive both at home and abroad. However Warman accepted that technology firms had to balance their political beliefs with commercial sensitivities.

“Businesses need to find a way to get it out there. They need to … publically say it rather than hope [the Referendum] goes one way.”

Industry support for EU
Research from industry body techUK suggest that 70% of its members want to stay in the EU, 15% want to leave and 15% don’t know. The majority support the UK’s membership because it makes the country more attractive to international investment, makes the UK more globally competitive and gives it a more favourable trading relationship with other members.

“There is a strong message from the tech industry that Europe is good for business. Tech leaders are clear that the UK needs to be holding the pen on the laws that affect their businesses,” said Julian David, techUK CEO.

“A vote to remain is a vote to ensure the UK voice is at the heart of policies that support the UK’s most innovative sector to continue to grow and create jobs. A vote leave would mean that the UK tech industry would lose its voice on the issues that matter most.”

Tech London Advocates surveyed its members and found that 87% of its members oppose Brexit (the Leave campaign), because they believe that membership of the EU boosts the UK economy by making it more attractive to international businesses looking to operate in Britain.

It seems that just 3% of respondents favoured the UK leaving the EU. The remaining 10% reportedly declined to express their opinion on the matter.

It is clear there is concern within the tech industry about the impact of losing access to the European market. The survey found that nearly three in four (71%) feel Brexit would make it harder to reach customers in EU countries, and threaten existing relationships with suppliers based in Europe.

And more than four out of five (81%) believe that Brexit would make it harder to employ people from EU countries.

“London has established a global reputation as the digital capital of Europe,” Russ Shaw, the founder of Tech London Advocates said. “There is significant concern within the digital community that Brexit would undermine this position and threaten relationships with the European market.

“Attracting international companies to the capital has been one of the great success stories of London’s digital economy,” said Shaw. “Brexit could see global businesses locating in emerging digital hubs in Berlin, Paris and Stockholm rather than London.”

Besides the above reasons, it seems that the London tech sector is not keen on the uncertainty that could be generated by a British exit.

“There are things I don’t agree with in the EU, but no can tell us what the alternative will be like,” said Michael Seres, founder, 11Health. “I have an investment round coming up and looking to hire 14 new people in the next 2 years, I can’t make those decisions if my access to markets and the regulation in this and those markets is unknown.”

Business Risk

“The business risk of leaving the EU is on balance too high,” said Nick Thomson, Chief Revenue Officer at Workshare. “The business risk of leaving the EU is on balance too high. Not just for us but for all businesses engaged in the sharing of data securely.”

And Thomson pointed out Europe’s role in tackling America over recent data protection concerns.

“As a large trading block the EU was able to secure the EU Data Protection Regulation against US pressure,” said Thomson. “The UK may well have to compromise this level of data to protection in the negotiation for its new trade concession from the US. Leading not only to less data security for people and businesses based in the UK, but also making it vastly more complicated to share data with the he rest of Europe – our main trading partners.”

There is a real possibility that the UK could vote to leave, as recent polls have suggested that almost seven in 10 pensioners want to leave the EU, while young people were more likely to be pro-European, but are less likely to cast a vote.

Thoughts

It is clear that the UK Referendum will have a potentially significant impact on IT and Data which is quickly becoming, and always should have been, the “crown jewels” of every company.    If you consider what transpired with Safe Harbour and with the European General Data Protection Regulations (GDPR) on the horizon, would the UK be in such a strong bargaining position outside the EU – or would we be caught in-between the US and the EU?

Added to this, the European GDPR will come into effect before the UK can legally depart the EU, so data controllers and data processors need to think ahead for this anyhow.   Let alone the question of what would the Data Protection and Handling Policy of the UK post referendum look like if we exited?

Technology is global.  Manufacturers are producing to global standards – and yet we still have geographic data protection regulations to adhere to.  Would a global data protection standard work?  Could nation states agree to subsume their local preferred interests against a global framework and would this mean watering it down to gain agreement?

What do you think?

size_500x500