It might be Brexit ‘no more European rules’ complacency or the all-consuming COVID-19 survival strategies – even a mixture of both – but too many UK companies seem to have forgotten their carefully crafted data privacy strategies says, Peter Newton. The risks have not gone away and an urgent reassessment is required…
How quickly we forget. In the run-up to the 2018 EU GDPR compliance deadline, businesses escalated data privacy and security strategy to the board level. Senior managers’ attention was grabbed not only by the significant hike in potential fines, but also by the personal liability introduced by the new legislation. Three years on and in a post-COVID, post-Brexit UK economy, data privacy appears to have slid - if not right off, then significantly further down - the corporate agenda.
Many of those vital data protection officers (DPO) who provided a dedicated data privacy compliance role were furloughed or their roles have been quietly merged into a compliance function and made redundant.
Individuals are now happily handing over their personal data – from email addresses to mobile phone numbers – to pubs and restaurants, with apparently zero concern about how that data is being stored. What happened? And what are the implications for businesses?
Unchanged Regulatory Compliance
Just consider what has changed over the past year. Firstly, Brexit. The UK may no longer be part of the European Union but that has not reduced the strength or severity of data privacy requirements. The UK’s DPA was designed to mirror GDPR – essentially GDPR was enshrined within UK DPA, which means companies still need to meet the same rigorous data privacy demands as before Brexit.
In fact, there are additional considerations - for example, data collected before January 1st 2021 should be treated as legacy data; while data collected from that date is current. In the event a breach occurs, a company needs to be able to identify these different data resources, as the event may be regulated under different regulatory regimes.
Data transfer between the EU and UK is, of course, essential to continue trading. This is enabled by equivalence being granted - as appears probable in light of the recent Adequacy Statement - and from the date of equivalence being granted would last for four years. This will hopefully be confirmed by the EU before the conclusion of the initial withdrawal agreement on 30th June. In addition, the UK remains a party to the European Convention of Human Rights and to ‘Convention 108’ of the Council of Europe - the only binding multilateral instrument on data protection. Moreover, while the UK has left the EU, it remains a member of the European ‘privacy family’, which recognises a number of other regulations (originated while the UK was a member of the EU) that UK businesses need to consider – from the Freedom of Information Act (FOIA) to the Privacy and Electronic Communication Regulations (PECR), eIDAS regulation for electronic transactions and Environmental Information Regulations (EIR).
Escalating Digital Use and Risk
Compliance with these regulations has become even more pressing given the second key change that occurred during 2020, namely the extraordinary escalation in the use of digital commerce. New channels to market and new ways of working have heightened security risks. A report published by trade body UK Finance showed online fraud rocketed as criminals sought to exploit UK consumers’ increasing reliance on online banking, shopping and social media amid multiple lockdowns.
For businesses, the growing sophistication of phishing expeditions suggests criminals have been using very accurate (hacked..?) data for some time – with targeted attacks intelligently and surgically exploiting personal data to hoodwink even the most switched on individual. In addition to mitigating the risk of falling foul of criminal activity, many companies have overlooked some of the basic data security requirements associated with new, ‘at scale’ remote and distributed ways of working.
Video conference calls - Zoom, MS Teams, for example - have become ubiquitous – but how many companies are storing recorded calls without informing all the participants? How many participants have checked the terms and conditions of the video service? And that is just one of the external services that have been adopted at speed in response to challenges created by the pandemic: who is verifying the way these services are operated, their models of data storage, protection, and erasure?
This relaxed (“we must just get through the pandemic”) attitude to data security is a massive concern, especially if businesses are planning to expand operations beyond Europe. From Canada to New Zealand, Malaysia to Australia, other countries have rigorous data privacy laws or are refreshing them – with high punitive fines and in some cases personal liability. The People’s Republic of China (PRC) is consolidating its data privacy requirements; while there are currently over twenty Bills moving through the US state Legislative process on privacy laws – for individual states. Granted, a number will fail but the themes of consumer rights and business obligations are broadly similar and thematic.
Data privacy compliance has become a fundamental aspect of successful global operations.
It is essential that companies revisit and recommit to data privacy strategies – and that starts with a complete review of all data protection policies and procedures. Revisit the data asset inventory to understand what data is being collected, how and from where it is being collected and stored and the data deletion policies. In addition, companies need to consider third-party service providers, such as payroll processors, systems suppliers, marketing clouds etc. to assess their data security and privacy provisions. A data protection impact assessment (DPIA) is key to determining how, when, and where a third party is managing this sensitive data.
Enhanced due diligence with all third parties is now vital – but it is also important to review group and inter-group data transfer agreements. Any company using a centralised CRM across multiple jurisdictions, for example, needs to understand the implication of local data privacy regulations and global data transfer laws to ensure compliance.
Data privacy requirements have not been diminished by the UK’s exit from the EU. Not only must UK businesses comply with regulations in the UK DPA that are as stringent and punitive as EU GDPR but the risks associated with data breaches have radically increased. And this is before the potential adoption of biometric data for identity cards, vaccine passports, and even work access. By side-lining a commitment to data privacy, companies risk sleepwalking into a data protection minefield – and one that, given the scale of possible fines, could be commercially devastating.
It is time to get those DPOs back, embark upon a robust data privacy assessment, and ensure that every evaluation of a possible new market includes a deep dive into that country’s approach to enforcing data privacy.