The U.K. will adopt stringent data protection laws regardless of Brexit

Although the U.K. voted to leave the EU in June’s referendum, this doesn’t seem to have altered the government’s plan to adopt strict EU data protection laws; namely the General Data Protection Regulation (GDPR).

This Regulation will come into force on the 25 May 2018 with the aim of helping organisations and companies to understand the legal framework in the EU. There are some similarities with the U.K.’s Data Protection Act (DPA), but the new GDPR seems to be more stringent.

The Information Commissioner’s Office (ICO), the U.K.’s data protection watchdog, has noted that the U.K.’s decision to leave the EU will not affect the Regulation coming into force, and this has been confirmed by the U.K. government as well.

The GDPR was introduced with the aim of assisting businesses and services in an ever-growing digital era with a focus on the importance of having clear laws to safeguard personal information highlighted in the Regulation, and an obligation on businesses and companies to publicly disclose data breaches.

It couldn’t have come at a better time in light of the growing data breach scandals worldwide. Yahoo kept their 2014 data breach concealed for more than two years – with the GDPR, Yahoo or any other companies facing a similar breach would be legally required to publicly disclose the breach, which would include informing the ICO of the breach.

Penalties

After investigating the matter, if the ICO sufficiently finds that the company or organisation has breached its data protection obligations and responsibilities, they can impose a penalty on the company or organisation accordingly. Under the new Regulation, companies are facing “more stringent sanctions“. Currently, the ICO can impose fines of up to £500,000, but under the new EU Regulation, companies could face up to 4 per cent of their annual turnover or £16.9 million – whichever sum is greater.

Now that’s a punishment!

The EU penalties don’t distinguish between whether the data breach was as a result of a cyber-attack or a human error, and is more focused on whether or not the company or organisation breached their legal data protection obligations. Some may argue this to be unfair, as not all companies can prevent cyber-attacks from happening. However, a stronger argument stands that companies and organisations should have sufficient cybersecurity in place to prevent, or at least mitigate, the damages caused.

Companies should be held responsible for their actions, and if they fail to keep their customers’/users’ data safe, they should pay the price.

It’s as simple as that.

A reason for stringent penalties

A reason for more stringent penalties could be because data breaches can affect an individual’s life far beyond the breach itself. If their personal information is stolen, cybercriminals can use that information to commit identity theft, financial fraud, and sell the information on the “dark web”. It doesn’t stop there of course: data theft can also cause long-term psychiatric damage and/or extreme distress to an individual as well.

Importance of strong cybersecurity

The GDPR is seen as a crucial tool to staying in the single market. It was introduced with the aim of universalising all data protection rules, making it easier for both businesses and consumers.

It’s also seen as a tool to remind companies and organisations of their responsibility to protect their customers’ or users’ information. Matt Hancock, the culture and digital minister, said that this is a strong move in the right direction for the government to incentivise strong cybersecurity.

It’s time for companies and organisations to buck up their cybersecurity ideas especially now governments are looking to clamp down on businesses and organisations who are being lax in their cybersecurity. This comes as part of the U.K.’s five-year cybersecurity review.

Following the implementation of the GDPR, we may well see an increase in data breaches, but this may be a false perception. The GDPR requires companies to publicly disclose their data breaches, so we may not be seeing an actual increase as such, but a perceived increase as, currently, the majority of companies may not be disclosing their data breaches at all.