You might be forgiven for thinking that GDPR and data protection are not a problem for UK or US-based company that avoid soliciting EU business. But there are many reasons to take it seriously.


Independently of the Brexit negotiations, UK national laws already apply. All organisations in the UK that collect, process or store personal information must comply with the UK Data Protection Act 1998 (DPA), or face fines of up to £500,000 in the event of a data breach. And given that Brexit cannot come into effect before Spring 2019, this leaves a full year in which GDPR punitive measures will apply to the UK just like in any other EU member state.  And even post-Brexit, the “Great Repeal Bill”, intended to come into effect immediately on exit from the bloc, would directly incorporate all EU law into UK law. During an unspecified period, it will then be possible to “amend, repeal or improve any law after appropriate scrutiny and debate”.

Whether Brexit culminates in something resembling a Norwegian or Swiss model, or a far less EU-friendly alternative – even the hardest Brexiteers would probably agree that instead of a freestyle deal, maintaining equivalent data protection regulations with the trading partner that consumes over 50% of your exports could be a good idea. The Information Commissioner’s Office (ICO) states in basic terms: “if the UK wants to trade with the Single Market on equal terms we would have to prove ‘adequacy’ – in other words UK data protection standards would have to be equivalent to the EU’s General Data Protection Regulation framework starting in 2018.”

According to PwC, the new compliance journey will require organisations to map and classify all their personal data; perform risk assessments; design privacy protections into all new business operations and practices; employ dedicated data protection officers; monitor and audit compliance; and document everything they do with data.  Clearly GDPR compliance will become a major advantage over rivals.


Although there is no single, comprehensive federal (national) law regulating the collection and use of personal data, each congressional term brings proposals to standardise laws at a federal level. A mixture of federal and state laws and regulations sometimes overlap, match and contradict one another. In addition, there are many guidelines, developed by governmental agencies and industry groups that do not have the force of law, but are part of self-regulatory guidelines and frameworks that are considered “best practices”. These have accountability and enforcement components that are increasingly being used as a tool for enforcement by regulators.

Yet attitudes to data privacy in the US and EU have historically been considered as polar opposites. EU attitudes towards data privacy, which favour the rights of the individual, contrast with those of the US under the US Patriot Act which favours the rights of the state. So how can we reconcile data privacy and public security in a world where terrorism is striking at the heart of our democracies? Wherever you stand in this debate, the impact of these regulations will be non-negligible.

Some of the most prominent US federal privacy laws include the Federal Trade Commission Act (FTC Act), Financial Services Modernization Act (Gramm-Leach-Bliley Act – GLB), Health Insurance Portability and Accountability Act (HIPAA), Security Breach Notification Rule, Fair Credit Reporting Act and the Fair and Accurate Credit Transactions Act, Electronic Communications Privacy Act and the Computer Fraud and Abuse Act. The President has already said that with regard to cyber security, data retention, data transfer and compliance, some of the existing regulations will be changed, potentially even replaced with some new, stricter regulations.

So like it or not, data privacy is a force to be reckoned with in 2017. Compliance with the most stringent GDPR is a safety net in transatlantic business. The old “Safe Harbor” mechanism in the US has now been replaced by the “Privacy Shield”, effective from August 2016 and endorsed by the European Court of Justice. Any US company can self-certify for Privacy Shield to the Department of Commerce and publicly commit to comply with the Framework’s requirements. While joining the Privacy Shield Framework is voluntary, once an eligible organization makes the public commitment to comply with the Framework’s requirements, the commitment will become enforceable under US law.  It is said that the new framework will underpin over $250bn of transatlantic trade in digital services annually by facilitating cross-border data transfers with the EU.


By Olenka Van Schendel, vice president of strategic marketing & business development at Arcad Software

Visit our website to see events that will help you keep up to speed on; Data protection, cyber security, digital marketing and business growth. View upcoming events here!

comments powered by Disqus