The myth about GDPR not being implemented due to Brexit seems to have taken on a life of its own. It would explain why so many businesses are either ignoring or suspending the implementation of a GDPR framework*.
What are the facts?
GDPR Implementation suspended?
According to this article, 44% of businesses don’t think GDPR will apply to UK companies. A quarter of organisations has already abandoned plans to implement it. Perhaps this shouldn’t be a great surprise. The article also claims the ICO is aware that half of all businesses still don’t comply with our current data laws. After coming from the practicalities of IT I can only say I’m surprised it is only half but let’s get back to the point.
Let’s confront the myth head on.
Myth: The GDPR won’t be implemented in the UK due to Brexit
Fact: On March 1st 2017 The Karen Bradley, Secretary of State for Culture, Media and Sport, launched the UK Digital Strategy. In the executive summary here it says:
“The UK will therefore implement the General Data Protection Regulation by May 2018. This will ensure a shared and higher standard of protection for consumers and their data across Europe and beyond.
As part of our plans for the UK’s exit from the EU, we will be seeking to ensure that data flows remain uninterrupted, and will be considering all the available options that will provide legal certainty for businesses and individuals alike.”
That’s a pretty unambiguous statement and it is worth noting that Karen Bradley has been returned to her post following the election so don’t expect any changes.
To drive home the point the ICO even released a video on May 25th:
(the fact it has had just over 3000 views is a bit of a worry)
Why businesses should thrive under GDPR
It’s in UKs interest to have a clear concise framework for businesses to work in. We already have PECR, DPA, eprivacy directive and many other pieces of data privacy legislation and guidance applicable to different business sectors. We have government-backed initiatives that complement the objectives of legislation and guidance such as Cyber Essentials. The fact that many businesses still don’t do the basics should be a wake-up call.
Computer Weekly quoted Deputy Commissioner of the ICO, Rob Luke, as saying:
“Those organisations which thrive under GDPR will be those who recognise that the key feature of GDPR is to put the individual at the heart of data protection law. Thinking first about how people want their data handled and then using those principles to underpin how you go about preparing for GDPR means you won’t go far wrong,”
It isn’t complicated (that covers myth 2) and it should be an opportunity for your organisation rather than a hindrance. So, ignore the myths, stop viewing data compliance and security as a hindrance and if you haven’t already start preparing for the inevitable. If you don’t then your clients may start voting with their feet and in this insecure world who could blame them?
*of course, this also misses the point that GDPR can have many business benefits and isn’t just about compliance.