Despite the UK's looming exit from the European Union, the government has confirmed that it will adhere to the EU's General Data Protection Regulation (GDPR), especially because it was actively involved in the drafting of the new regulations.
In a briefing to the House of Lords committee earlier this year, Minister of State for Digital and Culture Matt Hancock confirmed that Brexit will have no impact on the implementation of GDPR in the UK. The government will also repeal certain portions of the existing UK Data Protection Act before the new regulations come into effect exactly a year from now.
Hancock added that the government wants to ensure an uninterrupted flow of data between EU-member states and the UK post-Brexit, and for this to happen, it is essential for GDPR to be implemented in full. The Information Commissioner’s Office has also confirmed that data privacy rules in the UK after Brexit will resemble the GDPR.
As of now, businesses that store customer data and fail to protect them from cyber-attacks or data breach are liable to pay fines of up to £500,000 to the exchequer. GDPR will require such businesses to pay fines to the tune of either 4% of their annual worldwide turnover or €20 million, whichever will be higher.
At the same time, GDPR or its mirror law in the UK will make it binding for UK businesses to report instances of data breach to the Information Commissioner's Office as well as to affected customers within 72 hours. Businesses will also be required to have technologies in place to detect data breaches as and when they occur. However, if customer data is encrypted, then businesses will not be required to follow the said timeline.
Aside from these, GDPR will bring in many new regulations and requirements which UK businesses will have to adhere to once the law comes into effect next year. To prepare themselves, businesses will not only be required to encrypt personal data of customers but will also have to monitor who the data is shared with, where it is stored and how it is used.
At the same time, businesses will need to keep tabs on data handling processes and restructure their practices to handle requests from people about their data, including editing their data or deleting them from cloud computing services. Independent data processing officers will also have to be appointed as per upcoming regulations.
However, it is easier said than done. British businesses have a lot to do to ensure round-the-clock cyber-security and a large number of them have been found lacking when it comes to implementing cyber-hygiene and data protection practices. According to the British Chambers of Commerce, 20% of all British businesses were struck by cyber-attacks in 2016, of which the most affected were businesses employing more than 100 staff.
To prepare businesses against cyber-attacks and data breaches, the government is running an ambitious and helpful 'Cyber Essentials' accreditation programme which helps companies strengthen their IT systems, implement the latest cyber security practices and effectively handle and protect customer data. Despite the push, while 47% of large firms have signed up so far, only 10% of sole traders and 15% of firms employing one to four employees are now part of the programme.