Don’t give up on data reforms just because UK is quitting Europe
John Culkin, Director of Information Management, Crown Records Management
Pharmaceutical companies are being told to think twice before cancelling or delaying preparations for the forthcoming EU General Data Protection Regulation (GDPR), as the UK prepares to push ahead with Brexit in 2017.
Businesses across the country have been studying implications of the new regulation, due to be in force in May 2018, which aims to create a "one-stop shop" for data protection across the European Union.
Some of the key aspects of the bill include huge fines for data breaches, new rules around the collection of personal data and new rights for European citizens to ask for data to be deleted or edited. Many firms will also be required to appoint a Data Protection Officer.
However, the Brexit vote opens up the likelihood that the UK will have started the process of leaving the EU by the time it comes into force. In fact Prime Minister Theresa May seems focused on triggering Article 50 as early as March 2017.
So what does this mean for businesses, including pharmaceutical companies, in the UK currently preparing for new regulation and updating their policies and processes in the new year?
John Culkin, Director of Information Management, Crown Records Management has some of the answers:
It is tempting for businesses to think that because the UK intends to leave the EU this regulation will not apply. In fact, that isn’t the case. Although an independent Britain will not be part of the Regulation, in reality it will still be impossible to avoid its implications.
The regulation governs the personal data of all European citizens, providing them with greater control and more rights over information held about them. So any company holding identifiable information of an EU citizen, no matter where it is based, needs to be aware. With millions of EU citizens living in the UK, too, it’s hard to imagine that many businesses here will be unaffected.
The same applies to data breaches involving the personal data of European citizens. So it will still be vital to have a watertight information management system in place which allows businesses to know what information they have, where it is, how it can be edited and who is responsible for it.
Businesses should be thinking about the benefits of good information governance rather than hesitating because of what could happen in the future.
There is no point putting in place systems that ignore privacy by design, for instance, when that is good procedure – no matter what happens when the UK goes independent. The same is true of measures to protect a business from data breaches, which have reputational as well as financial implications – no matter who imposes the fine.
As for personal data, citizens, in the UK are only going to be more demanding about how their data is collected, stored and edited in future – the genie is out of the bottle and it’s not sensible to think that leaving the EU will change it. Preparing for a modern data world is not only about the GDPR.
Even though the UK has voted to leave the EU, data in Great Britain and Northern Ireland will continue to be regulated by the current Data Protection Act, which was passed in 1998. It will remain in place after exit, at least until Parliament decides to introduce a new law or amend it.
It’s worth noting that the UK’s data protection laws precede EU legislation by more than a decade, and go beyond the current requirements set out by the EU, for instance with the power given to the ICO to issue fines. So if businesses think that leaving the EU is suddenly going to change the agenda it is a dangerous stance to take.
Failing to prepare for the regulation could leave businesses open to fines, loss of reputation and – just as importantly – see them miss out on a chance to make the most of their data.
It’s pretty hard to see data regulation in the UK varying much from the essence of the EU GDPR which, after all, we have been heavily involved in drafting during the last few years. Having clear laws with safeguards in place is more important than ever in the modern world with a growing digital economy that relies on the safe sharing of data.
The political debate has its own arena and that is for people to make up their own minds on. But in terms of the GDPR this is a regulation designed to make things easier for businesses which work with the personal data of EU citizens.
A one-stop shop for data protection, for instance, is long overdue. Trying to regulate a rapidly evolving digital world with legislation dating from 20 years ago does not make sense. Any regulation which encourages businesses to have strong and robust information management systems in place should be a good thing.
There are certain requirements of the GDPR which may no longer apply, such as a requirement to appoint a Data Protection Officer for some companies. So, there could be cost savings in the short term. The reality, however, is that the general principles of the Regulation are pretty universal and likely to influence legislation and best practice in other areas of the world.
The best advice for businesses is to embrace those principles and prepare accordingly. Undertaking a data audit in 2017 and reassessing data protection and information management processes will help prepare for all eventualities – whether that is strengthening data protection compliance, building confidence for their brand or making the most of data assets.