Brexit could have disastrous consequences for UK business if attention is not paid to the ramifications of the General Data Protection Regulation (GDPR) at the time of negotiation, a senior legal expert has warned.
Speaking on the GDPR focus panel at Infosec 2017, Cameron Craig, group head of data privacy at HSBC, told the audience of security professionals that “without a data agreement, business would grind to a halt”. Craig elaborated:
The big risk is that [post Brexit] the EU doesn’t recognise UK as a adequate jurisdiction. Hopefully we’ll be whitelisted, and this is a key objective of the negotiation strategy. In the absence of that we’d have to create a treaty on data, like we do with the US. The bottom line is that we really do need to sort it out!
In a wide-ranging discussion about GDPR and its ramifications, the panel identified a series of key challenges, as well as framed existing and upcoming advice from the ICO.
Steve Wright, group data and information security officer at retail chain John Lewis, said that a wide-reaching challenge in GDPR is the new format and the language around it.
Interpretation is the biggest challenge, we’ve been finding, very unlike an ISO or PCI standard. Another key challenge is around the vast amounts of data on legacy systems – regulation of this area, especially for us as a retailer is not something we’re used to dealing with.
Craig agreed, saying: “Large areas of the GDPR when compared to existing legislation are the same, just couched in different language.” He added:
There is a real challenge for the financial sector here, though, as clearly they had big data companies like Facebook and Google in their crosshairs when they were writing many of these provisions, but data processing in the finance sector can be quite different – especially around consent, for example.
The GDPR regulation comes into force across Europe on May 25 2018, and sets new standards for data protection, including new, more stringent penalties for companies that breach the guidelines, as well as increased consumer protection around use and retention of personal data.