Question: What European Union law has a profound impact on UK organizations (as well as other countries around the world)?
Answer: The General Data Protection Regulation (GDPR).
“Not true,” I hear you say, “The UK has voted to leave the EU.”
Yes, although the “when” and “how” questions about Brexit have yet to be answered—particularly in light of the recent UK election.
But Brexit or no Brexit, the UK is still firmly in the sights of GDPR’s regulatory sharks. Because any organization processing personal data for the offering of goods and services to, or monitoring the behavior of, data subjects within the EU are also affected.
When British Prime Minister Theresa May outlined her plans for Brexit earlier this year, she made it clear that the UK would continue with GDPR: "As part of this process, existing EU laws in force in the UK would be converted into full UK laws. That, effectively, means that the ... GDPR will be law in the UK, too."
This means that many organizations outside the EU also have to adhere to the regulation. Yet, after the Brexit vote in June 2016, almost a quarter of British firms cancelled their GDPR programs, while some 4% had not even begun to prepare, said Information Age.
“Alarmingly, a massive 44% of those surveyed said they didn’t think the regulation will apply to UK business after Brexit,” said the article.
They are wrong. And they have little time to prepare; the deadline is May 25, 2018. Failure to comply by that date will be an expensive punishment indeed— fines can be up to 4% of your global revenue. GDPR is a game-changing challenge for organizations, involving people, processes and technology.
The challenge includes hiring a Data Protection Officer to oversee GDPR. Then you must involve the enterprise architecture team, IT system and business process owners, IT security SMEs, compliance experts, risk managers, auditors, IT & business planners and strategists, and CEOs. HR, marketing, tech support and QA also have to be involved from the ground up. They each have a role to play and need a technology platform to let them do it.
You will have to throw everything you’ve got to meet the GDPR deadline, from people to technology. To start your GDPR project it makes sense to find out where in your company you process privacy data and who uses personal data. This can be done using process modeling capabilities that include application systems, processes, data and risks.
A governance, risk and compliance (GRC) management solution can be used to establish an internal control system. If risks, controls and test cases are combined with business process management analysis (BPA) and embedded into process steps, GRC management can also help to improve performance and align all measures with the corporate strategy. Software AG can help with all of this and more.
But GDPR is not all bad news. The UK data protection agency (the Information Commissioner’s Office), believes that the regulation is a real opportunity.
“Get data protection right and you can see a real business benefit,” said Elizabeth Denham, UK Information Commissioner. “It offers a pay-off down the line, not just in better legal compliance, but a competitive edge.”
There may a lot to do, but the payoff is clearly better than letting the regulatory sharks bite your bottom line.