Don’t give up! Preparing for the data protection bill important despite Brexit
John Culkin, director of information management, Crown Records Management, reveals why pharma companies should still prepare for the EU GDPR regardless of Brexit.
Pharmaceutical companies are being told to think twice before cancelling or delaying preparations for the forthcoming EU General Data Protection Regulation (GDPR), as the UK pushes ahead with Brexit.
Businesses across the country have been studying implications of the new regulation, set to be in force in May 2018, which aims to create a ‘one-stop shop’ for data protection across the EU.
Some of the key aspects of the bill include huge fi nes for data breaches, new rules around the collection of personal data and new rights for European citizens to ask for data to be deleted or edited. Many firms will also be required to appoint a data protection officer.
However, as a result of the Brexit vote and the recent triggering of Article 50 by Prime Minister, Theresa May, the UK is already in the process of leaving the EU before the new regulation has come into force.
So, what does this mean for businesses, including pharmaceutical companies, in the UK currently preparing for the new regulation and updating their policies and processes in the New Year?
Here are some of the answers to commonly asked questions:
1. Will the EU GDPR still apply to post-Brexit UK businesses?
It is tempting for businesses to think that because the UK is leaving the EU this regulation will not apply. In fact, that isn’t the case. Although an independent Britain will not be part of the regulation, in reality it will still be impossible to avoid its implications.
The regulation governs the personal data of all European citizens, providing them with greater control and more rights over information held about them. So, any company holding identifiable information of an EU citizen, no matter where it is based, needs to be aware. With millions of EU citizens living in the UK, too, it’s hard to imagine that many businesses based in the UK will be unaffected.
The same applies to data breaches involving the personal data of European citizens. Therefore, it will still be vital to have a watertight information management system in place which allows businesses to know what information they have, where it is, how it can be edited and who is responsible for it.
2. Why should businesses push ahead with data reforms regardless of Brexit?
Businesses should be thinking about the benefits of good information governance rather than hesitating because of what could happen in the future.
There is no point putting in place systems that ignore privacy by design, for instance, when that is good procedure — no matter what happens after the UK becomes fully independent. The same is true of measures to protect a business from data breaches, which have reputational as well as financial implications — no matter who imposes the fine.
As for personal data, citizens in the UK are only going to be more demanding about how their data is collected, stored and edited in future — the genie is out of the bottle and it’s not sensible to think that leaving the EU will change it. Preparing for a modern data world is not only about the GDPR.
3. What regulations will affect UK business once Brexit has been completed?
Even though the UK has voted to leave the EU, data in Great Britain & Northern Ireland will continue to be regulated by the current Data Protection Act, which was passed in 1998. It will remain in place after exit, at least until parliament decides to introduce a new law or amend it.
It’s worth noting that the UK’s data protection laws precede EU legislation by more than a decade, and go beyond the current requirements set out by the EU, for instance with the power given to the ICO to issue fines. So, if businesses think that leaving the EU is suddenly going to change the agenda, it is a dangerous stance to take.
Failing to prepare for the regulation could leave businesses open to fines, loss of reputation and — just as importantly — see them miss out on a chance to make the most of their data.
4. How might UK data regulation differ in future from those in Europe?
It’s pretty hard to see data regulation in the UK varying much from the essence of the EU GDPR which, after all, we have been heavily involved in drafting over the last few years. Having clear laws with safeguards in place is more important than ever in the modern world with a growing digital economy that relies on the safe sharing of data.
5. What are the benefits of the EU GDPR? Could we be missing out on by leaving?
The political debate has its own arena and that is for people to make up their own minds on. However, in terms of the GDPR this is a regulation designed to make things easier for businesses that work with the personal data of EU citizens. A one-stop shop for data protection, for instance, is long overdue.
Trying to regulate a rapidly-evolving digital world with legislation dating from 20 years ago does not make sense. Any regulation which encourages businesses to have strong and robust information management systems in place should be a good thing.
6. What could be the benefits of being outside the EU GDPR?
There are certain requirements of the GDPR that may no longer apply, such as a requirement to appoint a data protection officer for some companies. So, there could be cost savings in the short-term. The reality, however, is that the general principles of the regulation are pretty universal and likely to influence legislation and best practice in other areas of the world.
The best advice for businesses is to embrace those principles and prepare accordingly. Undertaking a data audit in 2017 and re-assessing data protection and information management processes will help prepare for all eventualities — whether that is strengthening data protection compliance, building confidence for the brand or making the most of data assets.