With big data comes big responsibility

Every week we’re seeing new warnings about how Brexit will impact different parts of the UK economy. Proposed changes to data protection rules have been highlighted as the latest concern after the House of Lords EU Home Affairs Sub-Committee published a report last week calling for “unhindered and uninterrupted” data flows between the UK and EU following Brexit.

Data has become a central issue for policymakers and businesses over the last decade. Government figures from last year show that almost half of UK businesses were hit by an attack in 2016, up 22 per cent on the year before. The recent spate of high profile cyber-attacks, such as the NHS malware attack and the data breach on Tesco Bank, has also added to the existing concern over how data is stored and made the need for effective regulation in this space more important than ever before.

Incoming regulation

One of the major developments in this area is next year’s scheduled implementation of a major EU legal framework: The General Data Protection Regulation (GDPR). This has been designed to shore up how companies store data and react in the event of a cyber-attack. The GDPR has been years in the making and is due to come into force in May 2018, applying to all EU member states, including the UK.

The framework will introduce a wave of reforms, including a new requirement that organisations report a data breach to the regulator and customers within 72 hours of an attack. Data owners will also be given the right to request a copy of their data and have the right for any personal data erased at their request.

Crucially, GDPR will also be cross-border, meaning it will affect any type of business offering any type of service involving data to or from the EU market, regardless of whether the information is stored or processed on EU soil. The GDPR also sets out tough fines for those who break the rules – €20m or 4 per cent of turnover, whichever is highest – and recent figures from OnePoll (see below) suggest members of the UK public are increasingly likely to use their new powers.

Last week, the House of Lords called for the government to guarantee an “adequacy decision” to ensure the GDPR is carried over into UK law post-Brexit to ensure UK businesses are not at a competitive disadvantage when dealing with EU companies after 2019. Similar requests are being made in different sectors, notably financial services where lobby groups have called on the government to introduce ‘equivalence measures’ should there be a loss of passporting rights.

“There are growing numbers of reports of UK businesses who mistakenly believe the new rules won’t apply to them because of Brexit”

Failure to implement ‘adequacy’ could result in companies having to design and agree individual contracts on the safe management and storage of data, which would not only add additional administrative costs to any transaction but also put off many potential investors from working with UK companies.

Will the government implement GDPR?

The UK government has so far indicated that they are committed to implementing GDPR, stating it will form part of the Data Protection Bill, which is due to be tabled in the House later this year. However, the Lords’ report was sceptical, saying they had been “struck by the lack of detail in the government’s assurances thus far”.

After all, the UK has a history of butting heads with EU regulators over data protection, most recently in December 2016 following the passage of the Investigatory Powers Bill, when the European Court of Justice ruled that “general and indiscriminate retention” of data by governments was illegal. The case was ironically brought forward by Brexit Secretary David Davis, then a Conservative backbencher, and Deputy Labour leader Tom Watson. The pair rejected claims that UK companies should be compelled to keep records of customer’s internet and phone records for up to 12 months, and gained support from leading pressure groups such as the Law Society and Liberty Human Rights when taking their case to Luxembourg.

So, what next for investors?

Given the GDPR is due to come into effect in May 2018, the UK will be expected to implement the rules as it will still be a member of the EU. Overturning it will be possible following Brexit, though given the heavy involvement of UK officials and politicians in drawing up the new regulation, many believe the general principles behind it will be set in stone even after we leave the EU in 2019.

For many investors, the most pressing concern should be ensuring any current or future assets are effectively prepared to meet the incoming requirements as part of GDPR. There are growing numbers of reports of UK businesses who mistakenly believe the new rules won’t apply to them because of Brexit. A study in March earlier this year, conducted by information management firm Crown Records Management, found that 24 per cent of UK businesses are no long preparing for GDPR while 44 per cent of those surveyed said they didn’t think the regulation would apply to UK businesses after Brexit. A similar survey by YouGov also revealed that 38 per cent of UK businesses were not aware of the new rules whatsoever.

These worrying figures suggest that although last week’s Lord’s report rightly recognised that setting up ‘adequacy measures’ would help limit the disruption to UK companies trading with the EU after 2019, the more immediate issue for investors could be just around the corner.