On 15th December 2015, the European Parliament, the Council and the Commission agreed on a new Digital Single Market Strategy: The General Data Protection Regulation (GDPR). It was put in place to establish an EU wide data protection framework that will be made law in May 2017. In this blog we will look how this affects companies with in the UK following Brexit and data protection reform, the implications for data protection/transfer for UK organisations, how UK organisations will come under the GDPR framework despite the UK’s impending EU exit, and what businesses need to do in order to comply and remain approved for EU data transfers.
Each EU country currently requires different levels of compliance when dealing with data security and transfer, but after a two-year transition period on 25th May 2018, the GDPR will come into effect and standardise the data protection rules across the whole of the European Union.
When will it happen?
The May 2018 start date of GDPR will cross-over with the UK’s Article 50 EU exit estimate date between late 2018 to 2020, meaning the UK will directly operate under the GDPR law for some time. This will require all UK based organisations that process and store personally identifiable information (PII) of EU citizens to abide by the new elements of the regulationpotentially face penalties for non-compliance. Key changes include consent, the need to provide full audit trails, data exports and subject access requests. Failure to comply with the new directives for protecting processing data could potentially be a costly one, with organisations facing massive fines of up to €20m or 4% of total annual worldwide turnover, whichever is higher.
The EU viewed the new data protection programme as a necessity with its implementation being viewed as widely popular, with more than 90% of Europeans stating their desire for universal EU wide data protection rights, regardless of where their data is processed. A recent Euro barometer survey indicates just how low the trust levels are in regards to data protection following recent data breaches, with more than two thirds (67%) of Europeans worried that they have no control over their online information, with six out of ten not trusting online businesses (63%).
Companies at risk
Yahoo has recently been making headlines all over the world in what has been described as “the biggest ever breach of customer data” with an estimated 500 million accounts compromised and comes after other previous high profile breaches of customer data featuring well-known companies including Carphone Warehouse, Google, MySpace and Dropbox. These examples show just how easily hackers seem to be able to steal important personal information and the desperate need for the new GDPR law, which will help combat data breaches and force organisations to enact tougher security measures, hopefully reducing the instances of cyber-crime in the future.
Yahoo’s inability to identify the 2014 data breach and failure to notify its customers until several years later would potentially have had much bigger ramifications had the GDPR law been in effect during this time. Yahoo could have possibly been fined 20% of their global turnover (2015 – $4.96 billion), which works out to a potential $1 billion dollar fine for failing to properly secure personal customer accounts and not notifying customers in a timely manner. However, Yahoo may see a financial penalty of a different sort as its recently agreed takeover deal with Verizon to be purchased for $4.8 billion (currently subject to approval by a number of regulatory bodies) could now be in jeopardy.
What it means
When the GDPR comes into law, it will give EU subjects the right to a more secure data protection platform and force companies to notify customers within 72 hours if their data has been hacked. This will allow customers affected by data breaches to change passwords and monitor accounts for suspicious activity in a timely manner, avoiding potential delays in taking action as seen in the Yahoo case.
The implementation of GDPR will not just affect EU companies; but will also cover any organisation that may not be based within the EU, but still operates within its borders (including UK based companies) and handles personal data of EU subjects. The Information Commissioner’s Office (ICO) has stated that “…once implemented in the EU, the GDPR will be relevant for many organisations in the UK…With so many businesses and services operating across borders, international consistency around data protection laws and rights is crucial…”
By the time the UK is ready to exit the EU, companies and organisations will likely have already spent the time and money on IT, personnel, governance and communications to accommodate the new regulations, making continued adherence with the GDPR likely. An established finding of adequacy by the EU will however have to be created (similar to Canada and Switzerland) for the UK by the EU that enables data to be transferred between countries without the use of model contracts.
So what does this mean for background screening? In order for screening in the near future to be carried out quickly, safely and effectively, it is essential that the UK Government reach a consensus on the transfer of sensitive data with the EU to ensure continued data protection, job creation and prosperity. A failure to implement the agreed legislation by the estimated Brexit date could potentially hinder the ability for organisations in the UK to carry out their duties in a timely, secure and accurate manner.
If you would like to speak to CBS about any background screening services, you can call us on: 01443 799 900 or email us on: info@cbscreening.co.uk