You might be forgiven for thinking that GDPR and data protection are not a problem for UK or US-based company that avoid soliciting EU business. But there are many reasons to take it seriously.
UK
Independently of the Brexit negotiations, UK national laws already apply. Though due for replacement, the UK Data Protection Act 1998 (DPA) currently applies to organisations in the UK that collect, process or store personal information. A failure to comply runs the risk of up to £500,000 in the event of a data breach.
Now the UK's third generation of data protection law has entered Parliament. The Data Protection Bill was published on 14 September 2017 and aims to modernise data protection laws to ensure they are effective in the years to come.
The new bill includes much harsher penalties than its predecessor. Among the plans laid out in the bill is to give the ICO (Information Commissioner's Office) the power to fine companies up to £17 million, or 4% of global turnover, in the "most serious data breaches."
This UK Data Protection Bill is due to come into force this by the end of 2017, ahead of the GDPR which will apply in the UK from 25 May 2018. The government has confirmed that the UK's decision to leave the EU will not affect the commencement of the GDPR.
This means organisations will still have to comply with this regulation and we will still have to look to the GDPR for most legal obligations. However, the GDPR gives member states limited opportunities to make provisions for how it applies in their country. One element of the DP Bill is the details of these. It is therefore important the GDPR and the Bill are read side by side.
Previously referred to as the Great Repeal Bill, the EU Withdrawal Bill will also convert all existing EU laws into UK law, to ensure there are no gaps in legislation on Brexit day.
According to PwC, the new compliance journey will require organisations to map and classify all their personal data; perform risk assessments; design privacy protections into all new business operations and practices; employ dedicated data protection officers; monitor and audit compliance; and document everything they do with data.
Clearly, GDPR compliance will become a major advantage for organisations over rivals.
US
Although there is no single, comprehensive federal (national) law regulating the collection and use of personal data, each congressional term brings proposals to standardise laws at a federal level. A mixture of federal and state laws and regulations sometimes overlap, match and contradict one another. In addition, there are many guidelines, developed by governmental agencies and industry groups that do not have the force of law, but are part of self-regulatory guidelines and frameworks that are considered “best practices”. These have accountability and enforcement components that are increasingly being used as a tool for enforcement by regulators.
Yet attitudes to data privacy in the US and EU have historically been considered as polar opposites. EU attitudes towards data privacy, which favour the rights of the individual, contrast with those of the US under the US Patriot Act which favours the rights of the state. So how can we reconcile data privacy and public security in a world where terrorism is striking at the heart of our democracies? Wherever you stand in this debate, the impact of these regulations will be non-negligible.
Some of the most prominent US federal privacy laws include the Federal Trade Commission Act (FTC Act), Financial Services Modernization Act (Gramm-Leach-Bliley Act – GLB), Health Insurance Portability and Accountability Act (HIPAA), Security Breach Notification Rule, Fair Credit Reporting Act and the Fair and Accurate Credit Transactions Act, Electronic Communications Privacy Act and the Computer Fraud and Abuse Act. The President has already said that with regard to cyber security, data retention, data transfer and compliance, some of the existing regulations will be changed, potentially even replaced with some new, stricter regulations.
So like it or not, data privacy is a force to be reckoned with in 2017. Compliance with the most stringent GDPR is a safety net in transatlantic business. The old “Safe Harbor” mechanism in the US has now been replaced by the “Privacy Shield”, effective from August 2016 and endorsed by the European Court of Justice. Any US company can self-certify for Privacy Shield to the Department of Commerce and publicly commit to comply with the Framework’s requirements. While joining the Privacy Shield Framework is voluntary, once an eligible organization makes the public commitment to comply with the Framework’s requirements, the commitment will become enforceable under US law. It is said that the new framework will underpin over $250bn of transatlantic trade in digital services annually by facilitating cross-border data transfers with the EU.
For more information, read our Data Protection White Paper.
By Olenka Van Schendel, vice president of strategic marketing & business development at Arcad Software
PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.
For more information on upcoming events, visit the website.
comments powered by Disqus