The European General Data Protection Regulation (GDPR) is the biggest piece of legislation ever to hit UK organizations and even in the event of a 'Brexit' they will still be forced to comply with the same or similar regulations to safeguard the digital economy, according to legal experts.
Speaking during a panel debate at Infosecurity Europe today, PwC global head of cybersecurity and data protection, Stewart Room, argued that the GDPR “exists in every workplace and it affects all of us.”
Hogan Lovells partner, Eduardo Ustaran, added that following the referendum on 23 June, the UK will in any case have to follow Europe from a data protection perspective because “it’s the only way to continue to be part of the digital economy in a lawful way.”
Canon director of EMEA information security, Quentyn Taylor, agreed, adding that if it didn’t, the UK “could be in the dock rather than the US” – referring here to the recent European Court of Justice decision which threw out Safe Harbor.
But there was good news for firms struggling to comply with this mammoth piece of regulation, with ICO group manager for policy delivery, Iain Bourne, claiming that “there will be some cutting of slack” when it comes to enforcement of the GDPR, if organizations can demonstrate they’re trying to do the right things.
He recommended compliance officers check out the ICO’s 12-step guide in this area which should give them some hints on where to start.
However, experts warned that the GDPR could also usher in more volatility in giving consumer rights groups, privacy bodies and other groups the ability to take organizations to court more easily, and to force changes in data practices.
“Every decision over the past two years [in data protection] has been strongly in favor of the individual – sometimes beyond what the claimant was asking for,” warned Ustaran.
Breach notifications will also herald more class action lawsuits and consumer-led campaigns to change data practices, warned the ICO’s Bourne.
However, there can be positive outcomes from compliance, as long as firms prioritize their efforts.
Sky group head of data protection and compliance, Nina Barazakai, claimed that her firm – which already has to comply with breach notifications as a telco – has been able to gain better visibility into the organization as a result of putting in security controls. They have also helped it become more agile and even benefit commercially, she revealed.
Canon’s Taylor added that the whole GDPR compliance piece and especially the privacy by design stipulation is a wonderful opportunity for information security bosses to “get a seat at the table” right from the get-go. It will also help by freeing up additional budget for security investments, he added.